How-to: Integrate AWS (Amazon Web Services) with SAML IdP from UCS

Howto Integrate AWS (Amazon Web Services) with SAML IdP from UCS and supply additional information in the SAML response to the application

WIP

Step 1: Configuration in aws admin interface:

  • Go to Service IAM, the next steps are done in this service:
    Create a test user, in this case the user was added to the group aws-admin
    Note: there is a difference between the users GROUP and the ROLE

  • Create a new Identity Provider, choose Provider Type: SAML

  • Set name to e.g. UCS

  • Upload UCS IdP XML Metadata that was downloaded from https://ucs-sso.YOURDOMAIN/simplesamlphp/saml2/idp/metadata.php

  • Create a role. Select “type of trusted entity” -> SAML 2.0 federation

  • Select the Identity Provider, select “Allow programmatic and AWS Management Console access”, → Click ‘Next’, → select permissions for the new role, e.g. ‘AdministratorAccess’, → Click ‘Review’, → enter role name, e.g. aws-role-admin; → Click ‘Create role’

Step 2: Configuration of UCS IdP:

  • Add new service provider config to simplesamlphp:
  • Set correct account number, check that the correct role (not user group!) is named, check that the correct Identity Provider ID is named:
    The UMC is well suited for the initial creation of the php file you have to edit manually. You will find the created file in /etc/simplesamlphp/metadata.d/https://signin.aws.amazon.com/saml.php
    which you can adjust like this:
<?php
$metadata['urn:amazon:webservices'] = array(
    'AssertionConsumerService'      => array('https://signin.aws.amazon.com/saml'),
    'NameIDFormat'  => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
    'simplesaml.nameidattribute'    => 'uid',
    'simplesaml.attributes' => true,
    'authproc' => array(
        10 => array(
            'class' => 'core:AttributeAdd',
            'https://aws.amazon.com/SAML/Attributes/Role' => array(
                'arn:aws:iam::123456789:role/aws-role-admin,arn:aws:iam::123456789:saml-provider/UCS'
//                              ^^              ^^                                               ^^
//                              check for correct account number
//                                              set correct role name
//                                                                                               Provider Name
                )
        ),
        20 => array(
            'class' => 'core:PHP',
            'code' => '
                if (empty($attributes["uid"])) {
                    throw new Exception("Missing uid attribute.");
                }

                $uid = $attributes["uid"][0];
                $attributes["https://aws.amazon.com/SAML/Attributes/RoleSessionName"] = array($uid);
            ',
        ),
    ),
);

Step 3: Log into Amazon to test

In this test, there is a user named ‘univention’ in the UCS LDAP and a user named univention in Amazon AWS IAM.

Note: Be aware, if you used the UMC to create a template, this file is overwritten by the UMC if you make any changes there. But fortunatly since UCS 4.3 E159 you can store the php file permanently in the LDAP via udm. This allows the config replication to other servers in your environment and provide it from accidental changes via UMC.

udm saml/serviceprovider modify --dn= SAMLServiceProviderIdentifier=https://signin.aws.amazon.com/saml,cn=saml-serviceprovider,cn=univention,dc=schein,dc=ig --set rawsimplesamlSPconfig=/path/to/file

References

Zusammenfassung

Ticket#2018061421001096 — AWS via SAML

Mastodon