135 lines
10 KiB
HTML
135 lines
10 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en" dir="ltr">
|
|
<head>
|
|
<meta charset="utf-8" />
|
|
<title>documentation:2.0:applications:aws</title>
|
|
<meta name="generator" content="DokuWiki"/>
|
|
<meta name="robots" content="index,follow"/>
|
|
<meta name="keywords" content="documentation,2.0,applications,aws"/>
|
|
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
|
|
<link rel="start" href="aws.html"/>
|
|
<link rel="contents" href="aws.html" title="Sitemap"/>
|
|
<link rel="stylesheet" type="text/css" href="../lib/exe/css.php.t.bootstrap3.css"/>
|
|
<!-- //if:usedebianlibs
|
|
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
|
|
//elsif:useexternallibs
|
|
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
|
|
//elsif:cssminified
|
|
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
|
|
//else -->
|
|
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
|
|
<!-- //endif -->
|
|
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications';var JSINFO = {"id":"documentation:2.0:applications:aws","namespace":"documentation:2.0:applications"};
|
|
/*!]]>*/</script>
|
|
<script type="text/javascript" charset="utf-8" src="../lib/exe/js.php.t.bootstrap3.js"></script>
|
|
<!-- //if:usedebianlibs
|
|
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
|
|
//elsif:useexternallibs
|
|
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
|
|
//elsif:jsminified
|
|
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
|
|
//else -->
|
|
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
|
|
<!-- //endif -->
|
|
<!-- //if:usedebianlibs
|
|
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
|
|
//elsif:useexternallibs
|
|
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
|
|
//elsif:jsminified
|
|
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
|
|
//else -->
|
|
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
|
|
<!-- //endif -->
|
|
</head>
|
|
<body>
|
|
<div class="dokuwiki export container">
|
|
|
|
<h1 class="sectionedit1" id="amazon_web_services">Amazon Web Services</h1>
|
|
<div class="level1">
|
|
|
|
<p>
|
|
<a href="https://aws.amazon.com" class="urlextern" title="https://aws.amazon.com" rel="nofollow">Amazon Web Services</a> allows to delegate authentication through SAML2.
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT1 SECTION "Amazon Web Services" [1-132] -->
|
|
<h2 class="sectionedit2" id="saml">SAML</h2>
|
|
<div class="level2">
|
|
<ul>
|
|
<li class="level1"><div class="li"> Make sure you have followed the steps <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html" class="urlextern" title="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html" rel="nofollow">here</a>.</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Go to <a href="https://your.portal.com/saml/metadata" class="urlextern" title="https://your.portal.com/saml/metadata" rel="nofollow">https://your.portal.com/saml/metadata</a> and save the resulting file locally.</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> In each AWS account, go to IAM → Identity providers → Create Provider.</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Select <code><abbr title="Security Assertion Markup Language">SAML</abbr></code> as the provider type</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Choose a name (best if kept consistent between accounts), and then choose the metadata file you saved above.</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Looking again at the links on the left side of the page, go to Roles → Create role</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Choose <code><abbr title="Security Assertion Markup Language">SAML</abbr> / Saml 2.0 federation</code></div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Select the provider you just configured, click <code>Allow programmatic and AWSManagement Console access</code> which will fill in the rest of the form for you, then click next.</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Set whatever permissions you need to and then click <code>Review</code>.</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Choose a name for the role. These will shown to people when they log in, so make them descriptive. We have different accounts for different regions of the world, so I put the region into the role name so people know which account is which.</div>
|
|
</li>
|
|
</ul>
|
|
<div class="noteclassic">If you have only one role, the configuration is simple. If you have multiple
|
|
roles for different people, it is a little trickier. As you will see, the <abbr title="Security Assertion Markup Language">SAML</abbr>
|
|
attributes are not dynamic, so you have to set them in the session when a user
|
|
logs in or use a custom function. In this example, I wanted to avoid managing
|
|
custom functions on all the servers, so the <abbr title="Security Assertion Markup Language">SAML</abbr> attributes are set in
|
|
the session. We also use LDAP for user information, so I will describe that.
|
|
In our LDAP tree, each user has attributes which are used quite heavily for
|
|
dynamic groups and authorisation. You will want something
|
|
similar, using whatever attribute makes sense to you. For example:<pre class="code file ldif"> <span class="re0">dn</span>:<span class="re1"> uid=user,ou=people,dc=your,dc=com</span>
|
|
...
|
|
<span class="re0">ou</span>:<span class="re1"> sysadmin</span>
|
|
<span class="re0">ou</span>:<span class="re1"> database</span>
|
|
<span class="re0">ou</span>:<span class="re1"> root</span></pre>
|
|
|
|
</div><ul>
|
|
<li class="level1"><div class="li"> Assuming you use the web interface to manage lemonldap, go to General Parameters → Authentication parameters → LDAP parameters → Exported variables. Here set the key to the LDAP attribute and the value to something sensible. I keep them the same to make it easy.</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Now go to *Variables → Macros*. Here set up variables which will be computed based on the attributes you exported above. You will need to emit strings in this format <code>arn:aws:iam::account-number:role/role-name1,arn:aws:iam::account-number:saml-provider/provider-name</code>. The parts you need to change are <code>account-number</code>, <code>role-name1</code> and <code>provier-name</code>. The last two will be the provider name and role names you just set up in AWS.</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Perl works in here, so something like this is valid: <code>aws_eu_role</code> → <code>$ou =~ sysadmin ? “arn:aws…” : “arn:…”</code></div>
|
|
</li>
|
|
<li class="level1"><div class="li"> If it easier, split multiple roles into different macros. Then tie all the variables you define together into one string concatenating them with whatever is in General Parameters → Advanced Parameters → Separator. Actually click into this field and move around with the arrow keys to see if there is a space, since spaces can be part of the separator.</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Remember macros are defined alphanumerically, so you want one right at the end, like <code>z_aws_roles</code> → <code>join(“; ”, $role_name1, $role_name2, …)</code></div>
|
|
</li>
|
|
<li class="level1"><div class="li"> On the left again, click <code><abbr title="Security Assertion Markup Language">SAML</abbr> service providers</code>, then <code>Add <abbr title="Security Assertion Markup Language">SAML</abbr> SP</code>.</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Enter a name, click ok, then select it on the left. Select <code>Metadata</code>, then enter `<a href="https://signin.aws.amazon.com/static/saml-metadata.xml" class="urlextern" title="https://signin.aws.amazon.com/static/saml-metadata.xml" rel="nofollow">https://signin.aws.amazon.com/static/saml-metadata.xml</a>` in the <code><abbr title="Uniform Resource Locator">URL</abbr></code> field, then click load.</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Click <code>Exported attributes</code> on the left, then <code>Add attribute</code> twice to add two attributes. The first field is the name of a variable set in the user's session:</div>
|
|
<ul>
|
|
<li class="level2"><div class="li"> <code>_whatToTrace</code> → <code><a href="https://aws.amazon.com/SAML/Attributes/RoleSessionName" class="urlextern" title="https://aws.amazon.com/SAML/Attributes/RoleSessionName" rel="nofollow">https://aws.amazon.com/SAML/Attributes/RoleSessionName</a></code> (leave the rest)</div>
|
|
</li>
|
|
<li class="level2"><div class="li"> <code>z_aws_roles</code> (the macro name you defined above) → <code><a href="https://aws.amazon.com/SAML/Attributes/Role" class="urlextern" title="https://aws.amazon.com/SAML/Attributes/Role" rel="nofollow">https://aws.amazon.com/SAML/Attributes/Role</a></code> (leave the rest)</div>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
<li class="level1"><div class="li"> On the left, select Options → Security → Enable use of IDP initiated <abbr title="Uniform Resource Locator">URL</abbr> → On</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Select General Parameters → Portal → Menu → Categories and applications</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Select a category or create a new one if you need to. Then click <code>New application</code>. </div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Enter a name etc. For the <abbr title="Uniform Resource Locator">URL</abbr>, use <code><a href="https://your.portal.com/saml/singleSignOn?IDPInitiated=1&sp=urn:amazon:webservices" class="urlextern" title="https://your.portal.com/saml/singleSignOn?IDPInitiated=1&sp=urn:amazon:webservices" rel="nofollow">https://your.portal.com/saml/singleSignOn?IDPInitiated=1&sp=urn:amazon:webservices</a></code></div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Display application should be set to <code>Enabled</code></div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Go to your portal, click on the link, and check that it works!</div>
|
|
</li>
|
|
</ul>
|
|
|
|
</div>
|
|
<!-- EDIT2 SECTION "SAML" [133-] --></div>
|
|
</body>
|
|
</html>
|