dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2f81f4b3b5
lemonldap-ng/doc/pages/documentation/current/applications/aws.html
Clément OUDOT 2f81f4b3b5 Update documentation
2019-02-12 17:32:02 +01:00

135 lines
10 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:applications:aws</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,applications,aws"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="aws.html"/>
<link rel="contents" href="aws.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="../lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications';var JSINFO = {"id":"documentation:2.0:applications:aws","namespace":"documentation:2.0:applications"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="../lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<h1 class="sectionedit1" id="amazon_web_services">Amazon Web Services</h1>
<div class="level1">
<p>
<a href="https://aws.amazon.com" class="urlextern" title="https://aws.amazon.com" rel="nofollow">Amazon Web Services</a> allows one to delegate authentication through SAML2.
</p>
</div>
<!-- EDIT1 SECTION "Amazon Web Services" [1-136] -->
<h2 class="sectionedit2" id="saml">SAML</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> Make sure you have followed the steps <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html" class="urlextern" title="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html" rel="nofollow">here</a>.</div>
</li>
<li class="level1"><div class="li"> Go to <a href="https://your.portal.com/saml/metadata" class="urlextern" title="https://your.portal.com/saml/metadata" rel="nofollow">https://your.portal.com/saml/metadata</a> and save the resulting file locally.</div>
</li>
<li class="level1"><div class="li"> In each AWS account, go to IAM -&gt; Identity providers -&gt; Create Provider.</div>
</li>
<li class="level1"><div class="li"> Select <code><abbr title="Security Assertion Markup Language">SAML</abbr></code> as the provider type</div>
</li>
<li class="level1"><div class="li"> Choose a name (best if kept consistent between accounts), and then choose the metadata file you saved above.</div>
</li>
<li class="level1"><div class="li"> Looking again at the links on the left side of the page, go to Roles -&gt; Create role</div>
</li>
<li class="level1"><div class="li"> Choose <code><abbr title="Security Assertion Markup Language">SAML</abbr> / Saml 2.0 federation</code></div>
</li>
<li class="level1"><div class="li"> Select the provider you just configured, click <code>Allow programmatic and AWSManagement Console access</code> which will fill in the rest of the form for you, then click next.</div>
</li>
<li class="level1"><div class="li"> Set whatever permissions you need to and then click <code>Review</code>.</div>
</li>
<li class="level1"><div class="li"> Choose a name for the role. These will shown to people when they log in, so make them descriptive. We have different accounts for different regions of the world, so I put the region into the role name so people know which account is which.</div>
</li>
</ul>
<div class="noteclassic">If you have only one role, the configuration is simple. If you have multiple
roles for different people, it is a little trickier. As you will see, the <abbr title="Security Assertion Markup Language">SAML</abbr>
attributes are not dynamic, so you have to set them in the session when a user
logs in or use a custom function. In this example, I wanted to avoid managing
custom functions on all the servers, so the <abbr title="Security Assertion Markup Language">SAML</abbr> attributes are set in
the session. We also use LDAP for user information, so I will describe that.
In our LDAP tree, each user has attributes which are used quite heavily for
dynamic groups and authorisation. You will want something
similar, using whatever attribute makes sense to you. For example:<pre class="code file ldif"> <span class="re0">dn</span>:<span class="re1"> uid=user,ou=people,dc=your,dc=com</span>
...
<span class="re0">ou</span>:<span class="re1"> sysadmin</span>
<span class="re0">ou</span>:<span class="re1"> database</span>
<span class="re0">ou</span>:<span class="re1"> root</span></pre>
</div><ul>
<li class="level1"><div class="li"> Assuming you use the web interface to manage lemonldap, go to General Parameters -&gt; Authentication parameters -&gt; LDAP parameters -&gt; Exported variables. Here set the key to the LDAP attribute and the value to something sensible. I keep them the same to make it easy.</div>
</li>
<li class="level1"><div class="li"> Now go to *Variables -&gt; Macros*. Here set up variables which will be computed based on the attributes you exported above. You will need to emit strings in this format <code>arn:aws:iam::account-number:role/role-name1,arn:aws:iam::account-number:saml-provider/provider-name</code>. The parts you need to change are <code>account-number</code>, <code>role-name1</code> and <code>provier-name</code>. The last two will be the provider name and role names you just set up in AWS.</div>
</li>
<li class="level1"><div class="li"> Perl works in here, so something like this is valid: <code>aws_eu_role</code> -&gt; <code>$ou =~ sysadmin ? “arn:aws...” : “arn:...”</code></div>
</li>
<li class="level1"><div class="li"> If it easier, split multiple roles into different macros. Then tie all the variables you define together into one string concatenating them with whatever is in General Parameters -&gt; Advanced Parameters -&gt; Separator. Actually click into this field and move around with the arrow keys to see if there is a space, since spaces can be part of the separator.</div>
</li>
<li class="level1"><div class="li"> Remember macros are defined alphanumerically, so you want one right at the end, like <code>z_aws_roles</code> -&gt; <code>join(“; ”, $role_name1, $role_name2, ...)</code></div>
</li>
<li class="level1"><div class="li"> On the left again, click <code><abbr title="Security Assertion Markup Language">SAML</abbr> service providers</code>, then <code>Add <abbr title="Security Assertion Markup Language">SAML</abbr> SP</code>.</div>
</li>
<li class="level1"><div class="li"> Enter a name, click ok, then select it on the left. Select <code>Metadata</code>, then enter `<a href="https://signin.aws.amazon.com/static/saml-metadata.xml" class="urlextern" title="https://signin.aws.amazon.com/static/saml-metadata.xml" rel="nofollow">https://signin.aws.amazon.com/static/saml-metadata.xml</a>` in the <code><abbr title="Uniform Resource Locator">URL</abbr></code> field, then click load.</div>
</li>
<li class="level1"><div class="li"> Click <code>Exported attributes</code> on the left, then <code>Add attribute</code> twice to add two attributes. The first field is the name of a variable set in the user&#039;s session:</div>
<ul>
<li class="level2"><div class="li"> <code>_whatToTrace</code> -&gt; <code><a href="https://aws.amazon.com/SAML/Attributes/RoleSessionName" class="urlextern" title="https://aws.amazon.com/SAML/Attributes/RoleSessionName" rel="nofollow">https://aws.amazon.com/SAML/Attributes/RoleSessionName</a></code> (leave the rest)</div>
</li>
<li class="level2"><div class="li"> <code>z_aws_roles</code> (the macro name you defined above) -&gt; <code><a href="https://aws.amazon.com/SAML/Attributes/Role" class="urlextern" title="https://aws.amazon.com/SAML/Attributes/Role" rel="nofollow">https://aws.amazon.com/SAML/Attributes/Role</a></code> (leave the rest)</div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> On the left, select Options -&gt; Security -&gt; Enable use of IDP initiated <abbr title="Uniform Resource Locator">URL</abbr> -&gt; On</div>
</li>
<li class="level1"><div class="li"> Select General Parameters -&gt; Portal -&gt; Menu -&gt; Categories and applications</div>
</li>
<li class="level1"><div class="li"> Select a category or create a new one if you need to. Then click <code>New application</code>. </div>
</li>
<li class="level1"><div class="li"> Enter a name etc. For the <abbr title="Uniform Resource Locator">URL</abbr>, use <code><a href="https://your.portal.com/saml/singleSignOn?IDPInitiated=1&amp;sp=urn:amazon:webservices" class="urlextern" title="https://your.portal.com/saml/singleSignOn?IDPInitiated=1&amp;sp=urn:amazon:webservices" rel="nofollow">https://your.portal.com/saml/singleSignOn?IDPInitiated=1&amp;sp=urn:amazon:webservices</a></code></div>
</li>
<li class="level1"><div class="li"> Display application should be set to <code>Enabled</code></div>
</li>
<li class="level1"><div class="li"> Go to your portal, click on the link, and check that it works!</div>
</li>
</ul>
</div>
<!-- EDIT2 SECTION "SAML" [137-] --></div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink