Amazon Web Services allows one to delegate authentication through SAML2.
SAML
as the provider typeSAML / Saml 2.0 federation
Allow programmatic and AWSManagement Console access
which will fill in the rest of the form for you, then click next.Review
.dn: uid=user,ou=people,dc=your,dc=com ... ou: sysadmin ou: database ou: root
arn:aws:iam::account-number:role/role-name1,arn:aws:iam::account-number:saml-provider/provider-name
. The parts you need to change are account-number
, role-name1
and provier-name
. The last two will be the provider name and role names you just set up in AWS.aws_eu_role
-> $ou =~ sysadmin ? “arn:aws...” : “arn:...”
z_aws_roles
-> join(“; ”, $role_name1, $role_name2, ...)
SAML service providers
, then Add SAML SP
.Metadata
, then enter `https://signin.aws.amazon.com/static/saml-metadata.xml` in the URL
field, then click load.Exported attributes
on the left, then Add attribute
twice to add two attributes. The first field is the name of a variable set in the user's session:_whatToTrace
-> https://aws.amazon.com/SAML/Attributes/RoleSessionName
(leave the rest)z_aws_roles
(the macro name you defined above) -> https://aws.amazon.com/SAML/Attributes/Role
(leave the rest)New application
. https://your.portal.com/saml/singleSignOn?IDPInitiated=1&sp=urn:amazon:webservices
Enabled