http://docs.aws.amazon.com/STS/latest/UsingSTS/STSMgmtConsole-SAML.html http://blogs.aws.amazon.com/security/post/TxRTTT5PLUE6B5/How-to-use-Shibboleth-for-single-sign-on-to-the-AWS-Management-Console Following this documentation, the following has been done as of 2014-08-06: 1. AWS metadata from https://signin.aws.amazon.com/static/saml-metadata.xml added directly to sp-metadata.xml in the metadata directory of the IdP home (/opt/shibboleth-idp/metadata/). Note that this metadata includes a certificate with indicated use of signing, but not encryption. {{{ MIIEHjCCAwagAwIBAgIJAIjJINkOERkDMA0GCSqGSIb3DQEBBQUAMGcxCzAJBgNV BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMSIwIAYDVQQKExlBbWF6b24gV2Vi IFNlcnZpY2VzLCBJbmMuMR8wHQYDVQQDExZ1cm46YW1hem9uOndlYnNlcnZpY2Vz MB4XDTE0MDMyNDIwMzAxNloXDTI0MDMyMTIwMzAxNlowZzELMAkGA1UEBhMCVVMx EzARBgNVBAgTCldhc2hpbmd0b24xIjAgBgNVBAoTGUFtYXpvbiBXZWIgU2Vydmlj ZXMsIEluYy4xHzAdBgNVBAMTFnVybjphbWF6b246d2Vic2VydmljZXMwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwIwOsH62akokz5AM/RU4GtjHCYiDV QY5KVGk7E3zhiYzOcZ/7T71eSqwzrqwDBg2W+N5TFpFPKcEj5ADmoSlJX2y+nCcP SpnFWycn57fnw3kv4oAQZ9iH+BhxGmcs2fsnNgX7RNXm+b1P6ZQTVF0MMR/N1VBm gUD1fixTFFQ5JxXfd9mSmG+CvwVmi2RE8Y4Jn4c2X8IBa436iHqtpRknEcWM6rhB zh6/qKXoyhHe8ffbRHM2GHkhCXKobckFIIxpWzJV2WxlhZLAp0j9tmsGbdbnV1j+ ZU3Eu0JAm1hJLGJRj+v7CM2W0oHalhVDlMjH6twxi9uQuVlRHUwAk2cXAgMBAAGj gcwwgckwHQYDVR0OBBYEFNhl+SOtTnyOnX+HifYhgheCi9CcMIGZBgNVHSMEgZEw gY6AFNhl+SOtTnyOnX+HifYhgheCi9CcoWukaTBnMQswCQYDVQQGEwJVUzETMBEG A1UECBMKV2FzaGluZ3RvbjEiMCAGA1UEChMZQW1hem9uIFdlYiBTZXJ2aWNlcywg SW5jLjEfMB0GA1UEAxMWdXJuOmFtYXpvbjp3ZWJzZXJ2aWNlc4IJAIjJINkOERkD MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBADvw37bqUJKZWp5mG+sA MHWj4tJHlTOyj4WZN5osNq06pTFupRPZ/Rsq/p2VEiemcawNXsKc1uIqECFEQacB w9eySLjBbhYYSB3YMwKdCBlztcgqtftbXCuD8X1uCigf19BdE+Pe2bWDKdCfRs8B CSRd1dS6HNGOVWE7k2F7ji91qQFS24MUxsjowGUAiqmF77TpmWCEVki9oZ7yVQya Z0BeLBnb2cplXake+tD/Vi1drc8E4rgJZjNAbTkoKEw0puVe5bq9Zm9SZrfzk6d3 k7oa2zm4ccDLF3KR0WM9slt/aaHNce/rCtGhGkdCRlpmoceE1sBsYDFQEAIlrBnH TmE= urn:oasis:names:tc:SAML:2.0:nameid-format:transient urn:oasis:names:tc:SAML:2.0:nameid-format:persistent AWS Management Console Single Sign-On Amazon Web Services, Inc. AWS https://aws.amazon.com }}} 2. Custom relying party configuration was added to relying-party.xml to enable unencrypted SAML responses. {{{ }}} 3. New attributes created in attribute-resolver.xml with names required by AWS. The AWSrole is mapped from group membership in LDAP; initially only a single mapping is included, so additional roles will have to be mapped and added to this attribute definition as they are deployed. Of course the assignment of roles requires adding the group corresponding to the role and adding individual people to those groups. {{{ arn:aws:iam::688521806680:role/oit-admin,arn:aws:iam::688521806680:saml-provider/urn:mace:incommon:alaska.edu cn=aws:688521806680:role:oit-admin,ou=group,dc=alaska,dc=edu }}} The AWSsessionID appears to be intended to link activity to a user; we agreed to use the scoped version of the user's BannerID as it is unchanging. {{{ }}} 4. An attribute release policy currently releases ONLY these required custom attributes. 5. AWS apparently cannot initiate a request to the IdP, so we use "unsolicited" SSO. The following URL initiates such a request and relays the SAML to the appropriate end point specified in the AWS metadata. {{{ https://idp.alaska.edu/idp/profile/SAML2/Unsolicited/SSO?providerId=urn%3Aamazon%3Awebservices }}} As of 2014-08-06, this URL and IdP configuration generate a SAML assertion to the AWS signin page. The AWS responds with a "500" internal server error. DJD is working with AWS to diagnose.