aws.html 10.1 KB
Newer Older
Clément OUDOT's avatar
Clément OUDOT committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
  <meta charset="utf-8" />
  <title>documentation:2.0:applications:aws</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,applications,aws"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="aws.html"/>
<link rel="contents" href="aws.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="../lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
  <link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
  <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications';var JSINFO = {"id":"documentation:2.0:applications:aws","namespace":"documentation:2.0:applications"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="../lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
  <script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
  <script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
Xavier Guimard's avatar
Xavier Guimard committed
39
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
Clément OUDOT's avatar
Clément OUDOT committed
40
//else -->
Xavier Guimard's avatar
Xavier Guimard committed
41
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
Clément OUDOT's avatar
Clément OUDOT committed
42 43 44 45 46 47 48 49 50
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">

<h1 class="sectionedit1" id="amazon_web_services">Amazon Web Services</h1>
<div class="level1">

<p>
Xavier Guimard's avatar
Xavier Guimard committed
51
<a href="https://aws.amazon.com" class="urlextern" title="https://aws.amazon.com"  rel="nofollow">Amazon Web Services</a> allows one to delegate authentication through SAML2.
Clément OUDOT's avatar
Clément OUDOT committed
52 53 54
</p>

</div>
Xavier Guimard's avatar
Xavier Guimard committed
55
<!-- EDIT1 SECTION "Amazon Web Services" [1-136] -->
Clément OUDOT's avatar
Clément OUDOT committed
56 57 58 59 60 61 62
<h2 class="sectionedit2" id="saml">SAML</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> Make sure you have followed the steps <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html" class="urlextern" title="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html"  rel="nofollow">here</a>.</div>
</li>
<li class="level1"><div class="li"> Go to <a href="https://your.portal.com/saml/metadata" class="urlextern" title="https://your.portal.com/saml/metadata"  rel="nofollow">https://your.portal.com/saml/metadata</a> and save the resulting file locally.</div>
</li>
Clément OUDOT's avatar
Clément OUDOT committed
63
<li class="level1"><div class="li"> In each AWS account, go to IAM -&gt; Identity providers -&gt; Create Provider.</div>
Clément OUDOT's avatar
Clément OUDOT committed
64 65 66 67 68
</li>
<li class="level1"><div class="li"> Select <code><abbr title="Security Assertion Markup Language">SAML</abbr></code> as the provider type</div>
</li>
<li class="level1"><div class="li"> Choose a name (best if kept consistent between accounts), and then choose the metadata file you saved above.</div>
</li>
Clément OUDOT's avatar
Clément OUDOT committed
69
<li class="level1"><div class="li"> Looking again at the links on the left side of the page, go to Roles -&gt; Create role</div>
Clément OUDOT's avatar
Clément OUDOT committed
70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94
</li>
<li class="level1"><div class="li"> Choose <code><abbr title="Security Assertion Markup Language">SAML</abbr> / Saml 2.0 federation</code></div>
</li>
<li class="level1"><div class="li"> Select the provider you just configured, click <code>Allow programmatic and AWSManagement Console access</code> which will fill in the rest of the form for you, then click next.</div>
</li>
<li class="level1"><div class="li"> Set whatever permissions you need to and then click <code>Review</code>.</div>
</li>
<li class="level1"><div class="li"> Choose a name for the role.  These will shown to people when they log in, so make them descriptive.  We have different accounts for different regions of the world, so I put the region into the role name so people know which account is which.</div>
</li>
</ul>
<div class="noteclassic">If you have only one role, the configuration is simple.  If you have multiple
roles for different people, it is a little trickier.  As you will see, the <abbr title="Security Assertion Markup Language">SAML</abbr>
attributes are not dynamic, so you have to set them in the session when a user
logs in or use a custom function.  In this example, I wanted to avoid managing
custom functions on all the servers, so the <abbr title="Security Assertion Markup Language">SAML</abbr> attributes are set in
the session.  We also use LDAP for user information, so I will describe that.
In our LDAP tree, each user has attributes which are used quite heavily for
dynamic groups and authorisation.  You will want something
similar, using whatever attribute makes sense to you.  For example:<pre class="code file ldif">  <span class="re0">dn</span>:<span class="re1"> uid=user,ou=people,dc=your,dc=com</span>
  ...
  <span class="re0">ou</span>:<span class="re1"> sysadmin</span>
  <span class="re0">ou</span>:<span class="re1"> database</span>
  <span class="re0">ou</span>:<span class="re1"> root</span></pre>

</div><ul>
Clément OUDOT's avatar
Clément OUDOT committed
95
<li class="level1"><div class="li"> Assuming you use the web interface to manage lemonldap, go to General Parameters -&gt; Authentication parameters -&gt; LDAP parameters -&gt; Exported variables. Here set the key to the LDAP attribute and the value to something sensible. I keep them the same to make it easy.</div>
Clément OUDOT's avatar
Clément OUDOT committed
96
</li>
Clément OUDOT's avatar
Clément OUDOT committed
97
<li class="level1"><div class="li"> Now go to *Variables -&gt; Macros*.  Here set up variables which will be computed based on the attributes you exported above.  You will need to emit strings in this format <code>arn:aws:iam::account-number:role/role-name1,arn:aws:iam::account-number:saml-provider/provider-name</code>. The parts you need to change are <code>account-number</code>, <code>role-name1</code> and <code>provier-name</code>. The last two will be the provider name and role names you just set up in AWS.</div>
Clément OUDOT's avatar
Clément OUDOT committed
98
</li>
Clément OUDOT's avatar
Clément OUDOT committed
99
<li class="level1"><div class="li"> Perl works in here, so something like this is valid:  <code>aws_eu_role</code> -&gt;  <code>$ou =~ sysadmin ? “arn:aws...” : “arn:...”</code></div>
Clément OUDOT's avatar
Clément OUDOT committed
100
</li>
Clément OUDOT's avatar
Clément OUDOT committed
101
<li class="level1"><div class="li"> If it easier, split multiple roles into different macros.  Then tie all the variables you define together into one string concatenating them  with whatever is in General Parameters -&gt; Advanced Parameters -&gt; Separator. Actually click into this field and move around with the arrow keys to see if there is a space, since spaces can be part of the separator.</div>
Clément OUDOT's avatar
Clément OUDOT committed
102
</li>
Clément OUDOT's avatar
Clément OUDOT committed
103
<li class="level1"><div class="li"> Remember macros are defined alphanumerically, so you want one right at the end, like <code>z_aws_roles</code> -&gt; <code>join(“; ”, $role_name1, $role_name2, ...)</code></div>
Clément OUDOT's avatar
Clément OUDOT committed
104 105 106 107 108 109 110
</li>
<li class="level1"><div class="li"> On the left again, click <code><abbr title="Security Assertion Markup Language">SAML</abbr> service providers</code>, then <code>Add <abbr title="Security Assertion Markup Language">SAML</abbr> SP</code>.</div>
</li>
<li class="level1"><div class="li"> Enter a name, click ok, then select it on the left.  Select <code>Metadata</code>, then enter `<a href="https://signin.aws.amazon.com/static/saml-metadata.xml" class="urlextern" title="https://signin.aws.amazon.com/static/saml-metadata.xml"  rel="nofollow">https://signin.aws.amazon.com/static/saml-metadata.xml</a>` in the <code><abbr title="Uniform Resource Locator">URL</abbr></code> field, then click load.</div>
</li>
<li class="level1"><div class="li"> Click <code>Exported attributes</code> on the left, then <code>Add attribute</code> twice to add two attributes. The first field is the name of a variable set in the user&#039;s session:</div>
<ul>
Clément OUDOT's avatar
Clément OUDOT committed
111
<li class="level2"><div class="li"> <code>_whatToTrace</code> -&gt; <code><a href="https://aws.amazon.com/SAML/Attributes/RoleSessionName" class="urlextern" title="https://aws.amazon.com/SAML/Attributes/RoleSessionName"  rel="nofollow">https://aws.amazon.com/SAML/Attributes/RoleSessionName</a></code> (leave the rest)</div>
Clément OUDOT's avatar
Clément OUDOT committed
112
</li>
Clément OUDOT's avatar
Clément OUDOT committed
113
<li class="level2"><div class="li"> <code>z_aws_roles</code> (the macro name you defined above) -&gt; <code><a href="https://aws.amazon.com/SAML/Attributes/Role" class="urlextern" title="https://aws.amazon.com/SAML/Attributes/Role"  rel="nofollow">https://aws.amazon.com/SAML/Attributes/Role</a></code> (leave the rest)</div>
Clément OUDOT's avatar
Clément OUDOT committed
114 115 116
</li>
</ul>
</li>
Clément OUDOT's avatar
Clément OUDOT committed
117
<li class="level1"><div class="li"> On the left, select Options -&gt; Security -&gt;  Enable use of IDP initiated <abbr title="Uniform Resource Locator">URL</abbr> -&gt; On</div>
Clément OUDOT's avatar
Clément OUDOT committed
118
</li>
Clément OUDOT's avatar
Clément OUDOT committed
119
<li class="level1"><div class="li"> Select General Parameters -&gt; Portal -&gt; Menu -&gt; Categories and applications</div>
Clément OUDOT's avatar
Clément OUDOT committed
120 121 122 123 124 125 126 127 128 129 130 131
</li>
<li class="level1"><div class="li"> Select a category or create a new one if you need to.  Then click <code>New application</code>.  </div>
</li>
<li class="level1"><div class="li"> Enter a name etc.  For the <abbr title="Uniform Resource Locator">URL</abbr>, use <code><a href="https://your.portal.com/saml/singleSignOn?IDPInitiated=1&amp;sp=urn:amazon:webservices" class="urlextern" title="https://your.portal.com/saml/singleSignOn?IDPInitiated=1&amp;sp=urn:amazon:webservices"  rel="nofollow">https://your.portal.com/saml/singleSignOn?IDPInitiated=1&amp;sp=urn:amazon:webservices</a></code></div>
</li>
<li class="level1"><div class="li"> Display application should be set to <code>Enabled</code></div>
</li>
<li class="level1"><div class="li"> Go to your portal, click on the link, and check that it works!</div>
</li>
</ul>

</div>
Xavier Guimard's avatar
Xavier Guimard committed
132
<!-- EDIT2 SECTION "SAML" [137-] --></div>
Clément OUDOT's avatar
Clément OUDOT committed
133 134
</body>
</html>