Amazon Web Services

Amazon Web Services allows to delegate authentication through SAML2.


If you have only one role, the configuration is simple. If you have multiple roles for different people, it is a little trickier. As you will see, the SAML attributes are not dynamic, so you have to set them in the session when a user logs in or use a custom function. In this example, I wanted to avoid managing custom functions on all the servers, so the SAML attributes are set in the session. We also use LDAP for user information, so I will describe that. In our LDAP tree, each user has attributes which are used quite heavily for dynamic groups and authorisation. You will want something similar, using whatever attribute makes sense to you. For example:
  dn: uid=user,ou=people,dc=your,dc=com
  ou: sysadmin
  ou: database
  ou: root