SimpleSAML Authorization & AWS Role to LDAP Group Mapping

mlitka

unread,

Jan 11, 2016, 10:27:33 PM1/11/16

to SimpleSAMLphp

Does anyone have any examples on how to configure SimpleSAML with AWS to perform AWS Role to LDAP group mapping? We have SimpleSAML working fine with SimpleSAML Authn, but would like to have it also provide Authz via LDAP group membership.

Peter Schober

unread,

Jan 12, 2016, 6:21:26 AM1/12/16

to SimpleSAMLphp

* mlitka <mli...@gmail.com> [2016-01-12 04:27]:

What part of the documentation habe you tried, and with what results?
-peter

mlitka

unread,

Jan 13, 2016, 7:48:01 PM1/13/16

to SimpleSAMLphp, peter....@univie.ac.at

I have reviewed the LDAP module configuration. It seems however that this is only used to add an attribute from the directory in the request. What I want to be able to do is if user who logs in to SimpleSAML is a member of a particular LDAP group then pass a specific attribute on in the request. Any examples of this would be helpful.

Peter Schober

unread,

Jan 14, 2016, 5:19:39 AM1/14/16

to SimpleSAMLphp

* mlitka <mli...@gmail.com> [2016-01-14 01:48]:

> I have reviewed the LDAP module configuration. It seems however that this
> is only used to add an attribute from the directory in the request. What I
> want to be able to do is if user who logs in to SimpleSAML is a member of a
> particular LDAP group then pass a specific attribute on in the
> request.

That amounts to the same thing, only that in the latter case you'd use
something like core:AttributeAlter to modify what you send out.
For an example see the post from 3 days ago, in the thread
"AuthProcFilters Global vs per SP",
-peter

alz...@gmail.com

unread,

Feb 10, 2017, 5:32:51 PM2/10/17

to SimpleSAMLphp

I know this thread is 1 year old but no answers were provided so far, so I go ahead.
Here is the example how to map ldap groups to AWS roles, or better users with different access rights within a role.

config.php:

'authproc.idp' => array(

10 => array(

'class' => 'core:AttributeAdd',

'https://aws.amazon.com/SAML/Attributes/Role' => array('arn:aws:iam::<account>:role/<role>,arn:aws:iam::<account>:saml-provider/<default-user>’)

),

20 => array(

'class' => 'core:AttributeMap',

'uid' => 'https://aws.amazon.com/SAML/Attributes/RoleSessionName',

45 => array(

'class' => 'core:StatisticsWithAttribute',

'attributename' => 'realm',

'type' => 'saml20-idp-SSO',

),

50 => array(

'class' => 'ldap:AttributeAddUsersGroups',

'authsource' => ‘example-ldap',

),

51 => array(

'class' => 'authorize:Authorize',

'regex' => FALSE,

'groups' => array('cn=default-group,dc=example,dc=com',

'cn=admins,dc=example,dc=com',

'cn=operators,dc=ecample,dc=com'),

),

/* Map group membership to predefined IAM roles/users

*/

60 => array(

'class' => 'core:AttributeAlter',

'subject' => 'groups',

'pattern' => '/cn=admins,/‘,

'replacement' => 'arn:aws:iam::<account>:role/<role>,arn:aws:iam::<account>:saml-provider/<admin-user>’,

'target' => 'https://aws.amazon.com/SAML/Attributes/Role',

'%replace',

),

61 => array(

'class' => 'core:AttributeAlter',

'subject' => 'groups',

'pattern' => '/cn=operators,/‘,

'replacement' => 'arn:aws:iam::<account>:role/<role>,arn:aws:iam::<account>:saml-provider/<operator-user>’,

'target' => 'https://aws.amazon.com/SAML/Attributes/Role',

'%replace',

),

// this filter should be the last one!

99 => 'core:AttributeLimit',

),

Surprisingly, this config won't work as expected because of a bug in AttributeAddUsersGroups filter code. To fix the bug edit /var/lib/simplesamlphp-1.14.11/modules/ldap/lib/Auth/Process/AttributeAddUsersGroups.php and replace

$groups = array();
by
$groups = $memberof;

Beware that AttributeAddUsersGroups filter works only with RFC2307bis ldap schema (objectClass=groupOfNames) and does not support `posixGroup` or `groupOfUniqueNames`, also `memberOf` overlay should be enabled.

Cheers.

Reply all

Reply to author

Forward