<liclass="level1"><divclass="li"> Go to <ahref="https://your.portal.com/saml/metadata"class="urlextern"title="https://your.portal.com/saml/metadata"rel="nofollow">https://your.portal.com/saml/metadata</a> and save the resulting file locally.</div>
</li>
<liclass="level1"><divclass="li"> In each AWS account, go to IAM → Identity providers → Create Provider.</div>
<liclass="level1"><divclass="li"> In each AWS account, go to IAM -> Identity providers -> Create Provider.</div>
</li>
<liclass="level1"><divclass="li"> Select <code><abbrtitle="Security Assertion Markup Language">SAML</abbr></code> as the provider type</div>
</li>
<liclass="level1"><divclass="li"> Choose a name (best if kept consistent between accounts), and then choose the metadata file you saved above.</div>
</li>
<liclass="level1"><divclass="li"> Looking again at the links on the left side of the page, go to Roles → Create role</div>
<liclass="level1"><divclass="li"> Looking again at the links on the left side of the page, go to Roles -> Create role</div>
<liclass="level1"><divclass="li"> Assuming you use the web interface to manage lemonldap, go to General Parameters → Authentication parameters → LDAP parameters → Exported variables. Here set the key to the LDAP attribute and the value to something sensible. I keep them the same to make it easy.</div>
<liclass="level1"><divclass="li"> Assuming you use the web interface to manage lemonldap, go to General Parameters -> Authentication parameters -> LDAP parameters -> Exported variables. Here set the key to the LDAP attribute and the value to something sensible. I keep them the same to make it easy.</div>
</li>
<liclass="level1"><divclass="li"> Now go to *Variables → Macros*. Here set up variables which will be computed based on the attributes you exported above. You will need to emit strings in this format <code>arn:aws:iam::account-number:role/role-name1,arn:aws:iam::account-number:saml-provider/provider-name</code>. The parts you need to change are <code>account-number</code>, <code>role-name1</code> and <code>provier-name</code>. The last two will be the provider name and role names you just set up in AWS.</div>
<liclass="level1"><divclass="li"> Now go to *Variables -> Macros*. Here set up variables which will be computed based on the attributes you exported above. You will need to emit strings in this format <code>arn:aws:iam::account-number:role/role-name1,arn:aws:iam::account-number:saml-provider/provider-name</code>. The parts you need to change are <code>account-number</code>, <code>role-name1</code> and <code>provier-name</code>. The last two will be the provider name and role names you just set up in AWS.</div>
</li>
<liclass="level1"><divclass="li"> Perl works in here, so something like this is valid: <code>aws_eu_role</code>→ <code>$ou =~ sysadmin ? “arn:aws…” : “arn:…”</code></div>
<liclass="level1"><divclass="li"> Perl works in here, so something like this is valid: <code>aws_eu_role</code>-><code>$ou =~ sysadmin ? “arn:aws...” : “arn:...”</code></div>
</li>
<liclass="level1"><divclass="li"> If it easier, split multiple roles into different macros. Then tie all the variables you define together into one string concatenating them with whatever is in General Parameters → Advanced Parameters → Separator. Actually click into this field and move around with the arrow keys to see if there is a space, since spaces can be part of the separator.</div>
<liclass="level1"><divclass="li"> If it easier, split multiple roles into different macros. Then tie all the variables you define together into one string concatenating them with whatever is in General Parameters -> Advanced Parameters -> Separator. Actually click into this field and move around with the arrow keys to see if there is a space, since spaces can be part of the separator.</div>
</li>
<liclass="level1"><divclass="li"> Remember macros are defined alphanumerically, so you want one right at the end, like <code>z_aws_roles</code>→ <code>join(“; ”, $role_name1, $role_name2, …)</code></div>
<liclass="level1"><divclass="li"> Remember macros are defined alphanumerically, so you want one right at the end, like <code>z_aws_roles</code>-><code>join(“; ”, $role_name1, $role_name2, ...)</code></div>
</li>
<liclass="level1"><divclass="li"> On the left again, click <code><abbrtitle="Security Assertion Markup Language">SAML</abbr> service providers</code>, then <code>Add <abbrtitle="Security Assertion Markup Language">SAML</abbr> SP</code>.</div>
</li>
...
...
@@ -108,15 +108,15 @@ similar, using whatever attribute makes sense to you. For example:<pre class="c
</li>
<liclass="level1"><divclass="li"> Click <code>Exported attributes</code> on the left, then <code>Add attribute</code> twice to add two attributes. The first field is the name of a variable set in the user's session:</div>
<ul>
<liclass="level2"><divclass="li"><code>_whatToTrace</code>→<code><ahref="https://aws.amazon.com/SAML/Attributes/RoleSessionName"class="urlextern"title="https://aws.amazon.com/SAML/Attributes/RoleSessionName"rel="nofollow">https://aws.amazon.com/SAML/Attributes/RoleSessionName</a></code> (leave the rest)</div>
<liclass="level2"><divclass="li"><code>_whatToTrace</code>-><code><ahref="https://aws.amazon.com/SAML/Attributes/RoleSessionName"class="urlextern"title="https://aws.amazon.com/SAML/Attributes/RoleSessionName"rel="nofollow">https://aws.amazon.com/SAML/Attributes/RoleSessionName</a></code> (leave the rest)</div>
</li>
<liclass="level2"><divclass="li"><code>z_aws_roles</code> (the macro name you defined above) →<code><ahref="https://aws.amazon.com/SAML/Attributes/Role"class="urlextern"title="https://aws.amazon.com/SAML/Attributes/Role"rel="nofollow">https://aws.amazon.com/SAML/Attributes/Role</a></code> (leave the rest)</div>
<liclass="level2"><divclass="li"><code>z_aws_roles</code> (the macro name you defined above) -><code><ahref="https://aws.amazon.com/SAML/Attributes/Role"class="urlextern"title="https://aws.amazon.com/SAML/Attributes/Role"rel="nofollow">https://aws.amazon.com/SAML/Attributes/Role</a></code> (leave the rest)</div>
</li>
</ul>
</li>
<liclass="level1"><divclass="li"> On the left, select Options → Security → Enable use of IDP initiated <abbrtitle="Uniform Resource Locator">URL</abbr> → On</div>
<liclass="level1"><divclass="li"> On the left, select Options -> Security -> Enable use of IDP initiated <abbrtitle="Uniform Resource Locator">URL</abbr> -> On</div>
</li>
<liclass="level1"><divclass="li"> Select General Parameters → Portal → Menu → Categories and applications</div>
<liclass="level1"><divclass="li"> Select General Parameters -> Portal -> Menu -> Categories and applications</div>
</li>
<liclass="level1"><divclass="li"> Select a category or create a new one if you need to. Then click <code>New application</code>. </div>
<ahref="bugzilla_logo.0fea6a13c52b4d4725368f24b045ca84.png"title="View original file"><imgwidth="61"height="80"class="img_detail"alt="bugzilla_logo.png"title="bugzilla_logo.png"src="bugzilla_logo.f274c243263eb23ca6744a85c48196e8.png"/></a>
<ahref="bugzilla.html"class="action img_backto"accesskey="b"rel="nofollow"title="Back to documentation:2.1:applications:bugzilla [B]">Back to documentation:2.1:applications:bugzilla</a></div>
<ahref="csod_logo.0fea6a13c52b4d4725368f24b045ca84.png"title="View original file"><imgwidth="293"height="108"class="img_detail"alt="csod_logo.png"title="csod_logo.png"src="csod_logo.98601d1d0f9c2c830e0058d139a1d95e.png"/></a>
<ahref="cornerstone.html"class="action img_backto"accesskey="b"rel="nofollow"title="Back to documentation:2.1:applications:cornerstone [B]">Back to documentation:2.1:applications:cornerstone</a></div>
<ahref="dokuwiki_logo.0fea6a13c52b4d4725368f24b045ca84.png"title="View original file"><imgwidth="80"height="80"class="img_detail"alt="dokuwiki_logo.png"title="dokuwiki_logo.png"src="dokuwiki_logo.6fc278ad7805b3a76d4a755c7e77efee.png"/></a>
<ahref="dokuwiki.html"class="action img_backto"accesskey="b"rel="nofollow"title="Back to documentation:2.1:applications:dokuwiki [B]">Back to documentation:2.1:applications:dokuwiki</a></div>
