wiki:AmazonWebServices

Version 3 (modified by dabantz@…, 6 years ago) (diff)

--

http://docs.aws.amazon.com/STS/latest/UsingSTS/STSMgmtConsole-SAML.html

http://blogs.aws.amazon.com/security/post/TxRTTT5PLUE6B5/How-to-use-Shibboleth-for-single-sign-on-to-the-AWS-Management-Console

Following this documentation, the following has been done as of 2014-08-06:

  1. AWS metadata from https://signin.aws.amazon.com/static/saml-metadata.xml added directly to sp-metadata.xml in the metadata directory of the IdP home (/opt/shibboleth-idp/metadata/).

Note that this metadata includes a certificate with indicated use of signing, but not encryption.

<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="urn:amazon:webservices" validUntil="2015-03-24T20:30:16Z">
  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAssertionsSigned="true">
    <KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIEHjCCAwagAwIBAgIJAIjJINkOERkDMA0GCSqGSIb3DQEBBQUAMGcxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMSIwIAYDVQQKExlBbWF6b24gV2Vi
IFNlcnZpY2VzLCBJbmMuMR8wHQYDVQQDExZ1cm46YW1hem9uOndlYnNlcnZpY2Vz
MB4XDTE0MDMyNDIwMzAxNloXDTI0MDMyMTIwMzAxNlowZzELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCldhc2hpbmd0b24xIjAgBgNVBAoTGUFtYXpvbiBXZWIgU2Vydmlj
ZXMsIEluYy4xHzAdBgNVBAMTFnVybjphbWF6b246d2Vic2VydmljZXMwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwIwOsH62akokz5AM/RU4GtjHCYiDV
QY5KVGk7E3zhiYzOcZ/7T71eSqwzrqwDBg2W+N5TFpFPKcEj5ADmoSlJX2y+nCcP
SpnFWycn57fnw3kv4oAQZ9iH+BhxGmcs2fsnNgX7RNXm+b1P6ZQTVF0MMR/N1VBm
gUD1fixTFFQ5JxXfd9mSmG+CvwVmi2RE8Y4Jn4c2X8IBa436iHqtpRknEcWM6rhB
zh6/qKXoyhHe8ffbRHM2GHkhCXKobckFIIxpWzJV2WxlhZLAp0j9tmsGbdbnV1j+
ZU3Eu0JAm1hJLGJRj+v7CM2W0oHalhVDlMjH6twxi9uQuVlRHUwAk2cXAgMBAAGj
gcwwgckwHQYDVR0OBBYEFNhl+SOtTnyOnX+HifYhgheCi9CcMIGZBgNVHSMEgZEw
gY6AFNhl+SOtTnyOnX+HifYhgheCi9CcoWukaTBnMQswCQYDVQQGEwJVUzETMBEG
A1UECBMKV2FzaGluZ3RvbjEiMCAGA1UEChMZQW1hem9uIFdlYiBTZXJ2aWNlcywg
SW5jLjEfMB0GA1UEAxMWdXJuOmFtYXpvbjp3ZWJzZXJ2aWNlc4IJAIjJINkOERkD
MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBADvw37bqUJKZWp5mG+sA
MHWj4tJHlTOyj4WZN5osNq06pTFupRPZ/Rsq/p2VEiemcawNXsKc1uIqECFEQacB
w9eySLjBbhYYSB3YMwKdCBlztcgqtftbXCuD8X1uCigf19BdE+Pe2bWDKdCfRs8B
CSRd1dS6HNGOVWE7k2F7ji91qQFS24MUxsjowGUAiqmF77TpmWCEVki9oZ7yVQya
Z0BeLBnb2cplXake+tD/Vi1drc8E4rgJZjNAbTkoKEw0puVe5bq9Zm9SZrfzk6d3
k7oa2zm4ccDLF3KR0WM9slt/aaHNce/rCtGhGkdCRlpmoceE1sBsYDFQEAIlrBnH
TmE=</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </KeyDescriptor>
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
    <AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://signin.aws.amazon.com/saml"/>
    <AttributeConsumingService index="1">
      <ServiceName xml:lang="en">AWS Management Console Single Sign-On</ServiceName>
      <RequestedAttribute isRequired="true" Name="https://aws.amazon.com/SAML/Attributes/Role" FriendlyName="RoleEntitlement"/>
      <RequestedAttribute isRequired="true" Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" FriendlyName="RoleSessionName"/>
      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" FriendlyName="eduPersonAffiliation"/>
      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" FriendlyName="eduPersonNickname"/>
      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" FriendlyName="eduPersonOrgDN"/>
      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" FriendlyName="eduPersonOrgUnitDN"/>
      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" FriendlyName="eduPersonPrimaryAffiliation"/>
      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" FriendlyName="eduPersonPrincipalName"/>
      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" FriendlyName="eduPersonEntitlement"/>
      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" FriendlyName="eduPersonPrimaryOrgUnitDN"/>
      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" FriendlyName="eduPersonScopedAffiliation"/>
      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" FriendlyName="eduPersonTargetedID"/>
      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" FriendlyName="eduPersonAssurance"/>
      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.2.1.2" FriendlyName="eduOrgHomePageURI"/>
      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.2.1.3" FriendlyName="eduOrgIdentityAuthNPolicyURI"/>
      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.2.1.4" FriendlyName="eduOrgLegalName"/>
      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.2.1.5" FriendlyName="eduOrgSuperiorURI"/>
      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.2.1.6" FriendlyName="eduOrgWhitePagesURI"/>
      <RequestedAttribute isRequired="false" Name="urn:oid:2.5.4.3" FriendlyName="cn"/>
    </AttributeConsumingService>
  </SPSSODescriptor>
  <Organization>
    <OrganizationName xml:lang="en">Amazon Web Services, Inc.</OrganizationName>
    <OrganizationDisplayName xml:lang="en">AWS</OrganizationDisplayName>
    <OrganizationURL xml:lang="en">https://aws.amazon.com</OrganizationURL>
  </Organization>
</EntityDescriptor>

  1. Custom relying party configuration was added to relying-party.xml to enable unencrypted SAML responses.
    <!-- Amazon Web Services (AWS) provides no encryption cert, so diable encryption -->
       <RelyingParty id="urn:amazon:webservices"
           provider="urn:mace:incommon:alaska.edu"
           defaultSigningCredentialRef="IdPCredential"
           defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport">
          <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
       </RelyingParty>
    
    
  1. New attributes created in attribute-resolver.xml with names required by AWS.

The AWSrole is mapped from group membership in LDAP; initially only a single mapping is included, so additional roles will have to be mapped and added to this attribute definition as they are deployed. Of course the assignment of roles requires adding the group corresponding to the role and adding individual people to those groups.

 <!-- AWS requires each authorized user to have one or more roles matching a role names created in AWS.
     We use of group memberships reflected as values in the "eduIsMemberOf" LDAP attribute
     
     This attribute will remain with a null value if the user hasn't been explicitly put into any such applicable group, 
     meaning they will not be authorized in AWS and may receive an error from AWS 
     -->
    <resolver:AttributeDefinition xsi:type="Mapped" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
                           id="AWSrole"
                           sourceAttributeID="isMemberOf">
        <resolver:Dependency ref="myLDAP" />
        <resolver:Dependency ref="isMemberOf" />

        <!-- SAML 2 (only) encoder for the attribute -->
         <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
                       name="https://aws.amazon.com/SAML/Attributes/Role"
                               friendlyName="AWSrole" />

        <!-- Note we don't want to have any default value for this mapping, as there
          will be many group memberships that don't have any applicability to AWS.
        -->

        <!-- map group 'cn=aws:role:role-name' to defined AWSrole attribute format -->
        <ValueMap>
           <ReturnValue>arn:aws:iam::688521806680:role/$1,arn:aws:iam::688521806680:saml-provider/OITshibb</ReturnValue>
          <SourceValue ignoreCase="true">cn=aws:688521806680:role:(.*?),ou=group,dc=alaska,dc=edu</SourceValue>
        </ValueMap>

    </resolver:AttributeDefinition>

The AWSsessionID appears to be intended to link activity to a user; we agreed to use the scoped version of the user's BannerID as it is unchanging.

<!-- AWS "Role Session Name" is an identifier for the session; AWS docs suggest individual identifier like username or email -->
<!-- We'll use the persistent uakPersonID or eduPersonUniqueID to facilitate persistence of name for audit -->
<resolver:AttributeDefinition id="AWSsessionID" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="eduPersonUniqueId">
<resolver:Dependency ref="eduPersonUniqueId" />
<resolver:AttributeEncoder xsi:type="SAML2ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" friendlyName="AWSsessionID" />
</resolver:AttributeDefinition>

    <resolver:AttributeDefinition id="ADmemberOf" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="memberOf">
        <resolver:Dependency ref="uaADLDAP" />
        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.2.840.113556.1.2.102" friendlyName="ADmemberOf" />
    </resolver:AttributeDefinition>

  1. An attribute release policy currently releases ONLY these required custom attributes plus the opaque transientId used for the NameID in the subject portion of the SAML assertion.
  1. AWS apparently cannot initiate a request to the IdP, so we use "unsolicited" SSO. The following URL initiates such a request and relays the SAML to the appropriate end point specified in the AWS metadata.
https://idp.alaska.edu/idp/profile/SAML2/Unsolicited/SSO?providerId=urn%3Aamazon%3Awebservices

As of 2014-08-12, this URL and IdP configuration logs UA users into AWS and presents roles corresponding to their group memberships.