New Amazon SAML Support
Rob Tucker
I'm looking at setting up simplesamlphp for the task but am having issues.
Has anyone setup simplesamlphp as an idp and successfully gotten it to work?
Is there any documentation that I could be pointed at that would help?
Thijs Kinkhorst
On Mon, 25 Nov 2013 12:10:22 -0800 (PST), Rob Tucker <rtuc...@gmail.com>
wrote:
suffice to get it to work. If you already have an IdP running you should be
able to add their metadata just like any other SP you're currently using.
If you didn't yet set up an IdP then
http://simplesamlphp.org/docs/stable/simplesamlphp-idp should have the info
you need.
If you run into any problem in particular, this mailinglist may be able to
help.
--
Thijs Kinkhorst <th...@uvt.nl> – LIS Unix
Universiteit van Tilburg – Library and IT Services
Bezoekadres > Warandelaan 2 • Tel. 013 466 3035 • G 236
Rob Tucker
http://docs.aws.amazon.com/STS/latest/UsingSTS/STSMgmtConsole-SAML.html#configuring-saml-response
How do I add those additional custom XML attributes to the SAMLResponse, please note that one of them is the generated token?
Arthur de Vaan
Hi Rob,
Also had several problems with AWS but eventually got it working. You can also find valuable information on this topic on AWS' own forums by the way: https://forums.aws.amazon.com/forum.jspa?forumID=76#
But regarding the required attributes, I think the official way of adding these in SimpleSAML is via auth proc filters, but not sure (http://simplesamlphp.org/docs/1.11/simplesamlphp-authproc). Personally we're using a cusomt auth source and therefore I'm inserting these directly from function getUser() in our class derived from SimpleSAML_Auth_Source :
private function getUser() {
...
if ( $hasAwsRole ) {
$attributes['https://aws.amazon.com/SAML/Attributes/Role'] = array($awsRole);
$attributes['https://aws.amazon.com/SAML/Attributes/RoleSessionName'] = array($displayName);
}
return $attributes
}
Note that you must use arrays (or at least in version of SimpleSAML I'm using) as otherwise the resulting XML will not wrap your value inside the required AttributeValue tag.
Furthermore my SP config for AWS looks like this:
$metadata['https://signin.aws.amazon.com/saml'] = array(
'AssertionConsumerService' => 'https://signin.aws.amazon.com/saml',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
'simplesaml.nameidattribute' => 'uid',
'attributes' => array('uid','https://aws.amazon.com/SAML/Attributes/Role','https://aws.amazon.com/SAML/Attributes/RoleSessionName')
);
I think that configuring the name id format as persistent here already takes care of the correct Subject and NameID part.
For the rest it will work when you correctlty add those two additional attributes for AWS.
The thing where I got stuck was with RoleSessionName which apparently may not contain spaces. If you put spaces in these it will result in strange errors.
regards,
Arthur de Vaan
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/groups/opt_out.
Rob Tucker
Thank you so much for your response. This is extremely helpful! I might have some additional questions, but I'm going to get going with this. Thanks!
Rob Tucker
I got it to work, I sent with the auth proc filters.
'authproc' => array(
10 => array(
'class' => 'core:AttributeAdd',
'https://aws.amazon.com/SAML/Attributes/Role' => array('arn:aws:iam::<account_number_without_spaces>:role/<role_name>,arn:aws:iam::<account_number_without_spaces>:saml-provider/<’saml_provider_name)
),
20 => array(
'class' => 'core:AttributeAdd',
'https://aws.amazon.com/SAML/Attributes/RoleSessionName' => array('uid')
),
),
How do I implement the logout redirection?
Jason Haar
Hi Rob,
Also had several problems with AWS but eventually got it working. You can also find valuable information on this topic on AWS' own forums by the way: https://forums.aws.amazon.com/forum.jspa?forumID=76#
-- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Rob Tucker
This was provided by Arthur above and thus credit should go to him, but here it is again:
'AssertionConsumerService' => 'https://signin.aws.amazon.com/saml',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
'simplesaml.nameidattribute' => 'uid',
'attributes' => array('uid','https://aws.amazon.com/SAML/Attributes/Role','https://aws.amazon.com/SAML/Attributes/RoleSessionName')
);
Arthur de Vaan
Hi Rob,
Great to hear it's working. Or at least sign-on is.
Regarding logout, haven't looked into that yet. I'm also not sure how this is supposed to work with IdP initiated sign-on. Maybe someone else can shed some light on this?
JP
I've been following this post in an attempt to get SAML working with AWS...
I have managed to configure everything as per this post. But for the life of me I cannot find where to test authentication and redirection. I am currently using example-userpass in config/authsources.php.
If someone would be so kinda as to provide some advice I would really appreciate it.
Thanks...
Eddie Beuerlein
You would need to use IDP initiated login. Follow the simplesaml docs for IDP initiated logins:
http://simplesamlphp.org/docs/stable/simplesamlphp-idp-more#section_4
Works like a champ if you have it all configured properly...
ma...@duosecurity.com
zazi
Peter Schober
* zazi <sasi.a...@gmail.com> [2016-09-27 14:28]:
> and configuration saml2 with aws but I'm getting following error "Error:
> Your request included an invalid SAML response. To logout, click here."
> when login into aws. Please help me to find what i'm missing in idp
> configuration..
assuming) and a complete lack of technical detail.
You can always ask the vendor about details, I guess.
-peter
Arthur de Vaan
website" but to my knowledge there is nothing specific regarding Amazon
there.
So you additionally need to follow the steps in this thread. Please read
& understand this thread from the beginning.
If you still have problems after that then please provide more details
about how you are trying to link with Amazon. As you can read in this
thread there are multiple approaches suggested.
(ps: one issue I ran into is that Amazon does not allow whitespace in
the RoleSessionName so make sure there aren't any in whatever value you
are passing for that attribute)
zazi
Arthur de Vaan
Do the actual values you are passing for
arn:aws:iam::arn:aws:iam::<account-no>:role/<role-name>
and
arn:aws:iam::arn:aws:iam::<account-no>:saml-provider/<provider-name>
match the literal ARNs of an Identity provider and Role you have configured in AWS? (under Security Credentials)
if not, please see:
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
Furthermore I would try with a more basic authproc filter, excluding LanguageAdaptor, AttributeRealm and AttributeLimit entries. Because those are not needed for AWS and currently only complicate investigating the issue.
Last but not least also note that as "ma...@duosecurity.com" has explained earlier in this thread you are passing fixed text 'uid' as RoleSessionName with your authproc configuration. You can use his solution for passing the actual uid value as RoleSessionName if that is what you want (in that case make sure uid values will never contain any whitespace characters).
--
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at https://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.