Hi Rob,
Also had several problems with AWS but eventually got it working. You can also find valuable information on this topic on AWS' own forums by the way: https://forums.aws.amazon.com/forum.jspa?forumID=76#
But regarding the required attributes, I think the official way of adding these in SimpleSAML is via auth proc filters, but not sure (http://simplesamlphp.org/docs/1.11/simplesamlphp-authproc). Personally we're using a cusomt auth source and therefore I'm inserting these directly from function getUser() in our class derived from SimpleSAML_Auth_Source :
private function getUser() {
...
if ( $hasAwsRole ) {
$attributes['https://aws.amazon.com/SAML/Attributes/Role'] = array($awsRole);
$attributes['https://aws.amazon.com/SAML/Attributes/RoleSessionName'] = array($displayName);
}
return $attributes
}
Note that you must use arrays (or at least in version of SimpleSAML I'm using) as otherwise the resulting XML will not wrap your value inside the required AttributeValue tag.
Furthermore my SP config for AWS looks like this:
$metadata['https://signin.aws.amazon.com/saml'] = array(
'AssertionConsumerService' => 'https://signin.aws.amazon.com/saml',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
'simplesaml.nameidattribute' => 'uid',
'attributes' => array('uid','https://aws.amazon.com/SAML/Attributes/Role','https://aws.amazon.com/SAML/Attributes/RoleSessionName')
);
I think that configuring the name id format as persistent here already takes care of the correct Subject and NameID part.
For the rest it will work when you correctlty add those two additional attributes for AWS.
The thing where I got stuck was with RoleSessionName which apparently may not contain spaces. If you put spaces in these it will result in strange errors.
regards,
Arthur de Vaan
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/groups/opt_out.
Hi Rob,
Also had several problems with AWS but eventually got it working. You can also find valuable information on this topic on AWS' own forums by the way: https://forums.aws.amazon.com/forum.jspa?forumID=76#
-- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Hi Rob,
Great to hear it's working. Or at least sign-on is.
Regarding logout, haven't looked into that yet. I'm also not sure how this is supposed to work with IdP initiated sign-on. Maybe someone else can shed some light on this?
Do the actual values you are passing for
arn:aws:iam::arn:aws:iam::<account-no>:role/<role-name>
and
arn:aws:iam::arn:aws:iam::<account-no>:saml-provider/<provider-name>
match the literal ARNs of an Identity provider and Role you have configured in AWS? (under Security Credentials)
if not, please see:
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
Furthermore I would try with a more basic authproc filter, excluding LanguageAdaptor, AttributeRealm and AttributeLimit entries. Because those are not needed for AWS and currently only complicate investigating the issue.
Last but not least also note that as "ma...@duosecurity.com" has explained earlier in this thread you are passing fixed text 'uid' as RoleSessionName with your authproc configuration. You can use his solution for passing the actual uid value as RoleSessionName if that is what you want (in that case make sure uid values will never contain any whitespace characters).
--
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at https://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.