http://docs.aws.amazon.com/STS/latest/UsingSTS/STSMgmtConsole-SAML.html
http://blogs.aws.amazon.com/security/post/TxRTTT5PLUE6B5/How-to-use-Shibboleth-for-single-sign-on-to-the-AWS-Management-Console
Following this documentation, the following has been done as of 2014-08-06:
1. AWS metadata from https://signin.aws.amazon.com/static/saml-metadata.xml added directly to sp-metadata.xml in the metadata directory of the IdP home (/opt/shibboleth-idp/metadata/).
Note that this metadata includes a certificate with indicated use of signing, but not encryption.
{{{
MIIEHjCCAwagAwIBAgIJAIjJINkOERkDMA0GCSqGSIb3DQEBBQUAMGcxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMSIwIAYDVQQKExlBbWF6b24gV2Vi
IFNlcnZpY2VzLCBJbmMuMR8wHQYDVQQDExZ1cm46YW1hem9uOndlYnNlcnZpY2Vz
MB4XDTE0MDMyNDIwMzAxNloXDTI0MDMyMTIwMzAxNlowZzELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCldhc2hpbmd0b24xIjAgBgNVBAoTGUFtYXpvbiBXZWIgU2Vydmlj
ZXMsIEluYy4xHzAdBgNVBAMTFnVybjphbWF6b246d2Vic2VydmljZXMwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwIwOsH62akokz5AM/RU4GtjHCYiDV
QY5KVGk7E3zhiYzOcZ/7T71eSqwzrqwDBg2W+N5TFpFPKcEj5ADmoSlJX2y+nCcP
SpnFWycn57fnw3kv4oAQZ9iH+BhxGmcs2fsnNgX7RNXm+b1P6ZQTVF0MMR/N1VBm
gUD1fixTFFQ5JxXfd9mSmG+CvwVmi2RE8Y4Jn4c2X8IBa436iHqtpRknEcWM6rhB
zh6/qKXoyhHe8ffbRHM2GHkhCXKobckFIIxpWzJV2WxlhZLAp0j9tmsGbdbnV1j+
ZU3Eu0JAm1hJLGJRj+v7CM2W0oHalhVDlMjH6twxi9uQuVlRHUwAk2cXAgMBAAGj
gcwwgckwHQYDVR0OBBYEFNhl+SOtTnyOnX+HifYhgheCi9CcMIGZBgNVHSMEgZEw
gY6AFNhl+SOtTnyOnX+HifYhgheCi9CcoWukaTBnMQswCQYDVQQGEwJVUzETMBEG
A1UECBMKV2FzaGluZ3RvbjEiMCAGA1UEChMZQW1hem9uIFdlYiBTZXJ2aWNlcywg
SW5jLjEfMB0GA1UEAxMWdXJuOmFtYXpvbjp3ZWJzZXJ2aWNlc4IJAIjJINkOERkD
MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBADvw37bqUJKZWp5mG+sA
MHWj4tJHlTOyj4WZN5osNq06pTFupRPZ/Rsq/p2VEiemcawNXsKc1uIqECFEQacB
w9eySLjBbhYYSB3YMwKdCBlztcgqtftbXCuD8X1uCigf19BdE+Pe2bWDKdCfRs8B
CSRd1dS6HNGOVWE7k2F7ji91qQFS24MUxsjowGUAiqmF77TpmWCEVki9oZ7yVQya
Z0BeLBnb2cplXake+tD/Vi1drc8E4rgJZjNAbTkoKEw0puVe5bq9Zm9SZrfzk6d3
k7oa2zm4ccDLF3KR0WM9slt/aaHNce/rCtGhGkdCRlpmoceE1sBsYDFQEAIlrBnH
TmE=
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
AWS Management Console Single Sign-On
Amazon Web Services, Inc.
AWS
https://aws.amazon.com
}}}
2. Custom relying party configuration was added to relying-party.xml to enable unencrypted SAML responses.
{{{
}}}
3. New attributes created in attribute-resolver.xml with names required by AWS.
The AWSrole is mapped from group membership in LDAP; initially only a single mapping is included, so additional roles will have to be mapped and added to this attribute definition as they are deployed. Of course the assignment of roles requires adding the group corresponding to the role and adding individual people to those groups.
{{{
arn:aws:iam::688521806680:role/oit-admin,arn:aws:iam::688521806680:saml-provider/urn:mace:incommon:alaska.edu
cn=aws:688521806680:role:oit-admin,ou=group,dc=alaska,dc=edu
}}}
The AWSsessionID appears to be intended to link activity to a user; we agreed to use the scoped version of the user's BannerID as it is unchanging.
{{{
}}}
4. An attribute release policy currently releases ONLY these required custom attributes.
5. AWS apparently cannot initiate a request to the IdP, so we use "unsolicited" SSO. The following URL initiates such a request and relays the SAML to the appropriate end point specified in the AWS metadata.
{{{
https://idp.alaska.edu/idp/profile/SAML2/Unsolicited/SSO?providerId=urn%3Aamazon%3Awebservices
}}}
As of 2014-08-06, this URL and IdP configuration generate a SAML assertion to the AWS signin page. The AWS responds with a "500" internal server error. DJD is working with AWS to diagnose.