Changes between Version 2 and Version 3 of AmazonWebServices


Ignore:
Timestamp:
08/12/14 09:13:19 (6 years ago)
Author:
dabantz@…
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • AmazonWebServices

    v2 v3  
    117117        <!-- map group 'cn=aws:role:role-name' to defined AWSrole attribute format --> 
    118118        <ValueMap> 
    119           <ReturnValue>arn:aws:iam::688521806680:role/oit-admin,arn:aws:iam::688521806680:saml-provider/urn:mace:incommon:alaska.edu</ReturnValue> 
    120           <SourceValue ignoreCase="true">cn=aws:688521806680:role:oit-admin,ou=group,dc=alaska,dc=edu</SourceValue> 
     119           <ReturnValue>arn:aws:iam::688521806680:role/$1,arn:aws:iam::688521806680:saml-provider/OITshibb</ReturnValue> 
     120          <SourceValue ignoreCase="true">cn=aws:688521806680:role:(.*?),ou=group,dc=alaska,dc=edu</SourceValue> 
    121121        </ValueMap> 
    122122 
     
    140140}}} 
    141141 
    142 4. An attribute release policy currently releases ONLY these required custom attributes. 
     1424. An attribute release policy currently releases ONLY these required custom attributes plus the opaque transientId used for the NameID in the subject portion of the SAML assertion. 
    143143 
    1441445. AWS apparently cannot initiate a request to the IdP, so we use "unsolicited" SSO.  The following URL initiates such a request and relays the SAML to the appropriate end point specified in the AWS metadata. 
     
    148148}}} 
    149149 
    150 As of 2014-08-06, this URL and IdP configuration generate a SAML assertion to the AWS signin page.  The AWS responds with a "500" internal server error.  DJD is working with AWS to diagnose.  
     150As of 2014-08-12, this URL and IdP configuration logs UA users into AWS and presents roles corresponding to their group memberships.