Discussion:
AWS Console and Shib
Christopher J. Hubing
2014-10-02 01:26:39 UTC
Permalink
Hello fellow shib users,

I recently set up an IDP with a bilateral trust to a single AWS account
(ARN). I documented the steps at the following URL:
https://wikispaces.psu.edu/display/AWS/AWS+SSO+with+Shibboleth

Despite the normal vendor annoyances of having to create a custom
relying party and conform what they think attributes should like like,
it works reasonably well.

However, with today's Net+/DLT/AWS announcement, I forsee a wave of
prospective campus AWS customers that want to be able to move their data
centers into the cloud.

Currently, I have the ARN (Amazon Resource Name) hard coded into the
attribute resolver. Obviously that won't scale well with having to
support multiple federated customers (ARNs). I can implement a lookup of
the ARN in some datastore, but was just wondering if anyone has been
thinking about this problem and how they might solve it.

-c

______________________________________________________________________
Christopher J. Hubing Information Technology Services
cjh-***@public.gmane.org Services and Solutions
+1 814 865 8772 The Pennsylvania State University
http://www.personal.psu.edu/cjh
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
David Bantz
2014-10-02 19:25:27 UTC
Permalink
I won’t call it a solution, but we’re putting putting people into groups for different ARN + role combinations,
then using group membership to build the SAML attribute values needed by AWS. You could say we’ve
just pushed the maintenance issue from one system (the IdP) to another (group membership).

David Bantz
Post by Christopher J. Hubing
Hello fellow shib users,
I recently set up an IDP with a bilateral trust to a single AWS account
https://wikispaces.psu.edu/display/AWS/AWS+SSO+with+Shibboleth
Despite the normal vendor annoyances of having to create a custom
relying party and conform what they think attributes should like like,
it works reasonably well.
However, with today's Net+/DLT/AWS announcement, I forsee a wave of
prospective campus AWS customers that want to be able to move their data
centers into the cloud.
Currently, I have the ARN (Amazon Resource Name) hard coded into the
attribute resolver. Obviously that won't scale well with having to
support multiple federated customers (ARNs). I can implement a lookup of
the ARN in some datastore, but was just wondering if anyone has been
thinking about this problem and how they might solve it.
-c
______________________________________________________________________
Christopher J. Hubing Information Technology Services
+1 814 865 8772 The Pennsylvania State University
http://www.personal.psu.edu/cjh
--
John C. Pfeifer
2014-10-03 12:21:07 UTC
Permalink
We have done something similar using a mapped <AttributeDefinition> to filter the group memberships that are relevant to AWS and then a second template <AttributeDefinition> to construct the role values the AWS excepts.
I won’t call it a solution, but we’re putting putting people into groups for different ARN + role combinations,
then using group membership to build the SAML attribute values needed by AWS. You could say we’ve
just pushed the maintenance issue from one system (the IdP) to another (group membership).
David Bantz
Post by Christopher J. Hubing
Hello fellow shib users,
I recently set up an IDP with a bilateral trust to a single AWS account
https://wikispaces.psu.edu/display/AWS/AWS+SSO+with+Shibboleth
Despite the normal vendor annoyances of having to create a custom
relying party and conform what they think attributes should like like,
it works reasonably well.
However, with today's Net+/DLT/AWS announcement, I forsee a wave of
prospective campus AWS customers that want to be able to move their data
centers into the cloud.
Currently, I have the ARN (Amazon Resource Name) hard coded into the
attribute resolver. Obviously that won't scale well with having to
support multiple federated customers (ARNs). I can implement a lookup of
the ARN in some datastore, but was just wondering if anyone has been
thinking about this problem and how they might solve it.
-c
______________________________________________________________________
Christopher J. Hubing Information Technology Services
+1 814 865 8772 The Pennsylvania State University
http://www.personal.psu.edu/cjh
--
--
//
John Pfeifer
Division of Information Technology
University of Maryland, College Park
--
To unsubscribe from this list send an email to users-***@shibboleth.net
Loading...