AWS Console as SAML SP

Benjamin Winston

unread,

Nov 7, 2022, 4:23:15 PM11/7/22

to CAS Community

Hi all,

Has anyone had success integrating an AWS Console as a SAML SP? We've been spinning our wheels on this for a couple weeks now, and are not really sure where to go from here. We're loosely following this:

https://aws.amazon.com/blogs/security/how-to-use-shibboleth-for-single-sign-on-to-the-aws-management-console/

with the caveat that Shib is not CAS, of course, but that's about as close as the official AWS documentation has gotten. The only error message we've gotten back from Amazon is "Your request included an invalid SAML response", and the person we're integrating with (who has access to the AWS console) said he's not seeing any logs being generated at all for these failed requests.

Any advice or experience anyone on here has had would be invaluable! Thanks!

Ben

Andrew Marker

unread,

Nov 7, 2022, 4:35:05 PM11/7/22

to CAS Community, bwin...@philasd.org

I was on an early version of 6.x when I did this, so, it could perhaps be updated but it is working. If nothing else, just directly referencing the metadata: https://signin.aws.amazon.com/static/saml-metadata.xml.

Keep in mind, CAS has some prebuilt libraries for specific SPs: CAS - SAML SP Integrations (apereo.github.io). That is probably best practice.

amazon-1160.json

aws-roles.groovy

Andrew Marker

unread,

Nov 7, 2022, 4:41:53 PM11/7/22

to CAS Community, Andrew Marker, bwin...@philasd.org

I should say too that the groups i created to identify and manage access in a ldap directory are in the format:

cn=aws8765309-administrator,ou=groups,o=data

cn=aws8765309-read-only,ou=groups,o=data

When you look at the regex this factors into the extraction.

Reply all

Reply to author

Forward