Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Extract ARNs from SAML on onelogin #49

Closed
jspc opened this issue Aug 7, 2018 · 5 comments
Closed

Extract ARNs from SAML on onelogin #49

jspc opened this issue Aug 7, 2018 · 5 comments

Comments

@jspc
Copy link
Contributor

jspc commented Aug 7, 2018

Given that onelogin/ aws saml reponses return necessary ARNs, extract these and use them to generate credentials rather than hardcoding them in config.

Where multiple ARNs exist, such as is the case with the onelogin multi-account app, present a form for a user to select from.

This approach is used in onelogin reference implementations of pulling AWS creds:

  1. https://developers.onelogin.com/api-docs/1/samples/aws-cli
  2. https://github.com/onelogin/onelogin-aws-cli-assume-role/blob/master/onelogin-aws-assume-role-cli/src/main/java/com/onelogin/aws/assume/role/cli/OneloginAWSCLI.java#L222-L241
@johananl
Copy link
Contributor

johananl commented Aug 7, 2018

We've been looking for a way to avoid having to deal with ARNs in the config and could not find a good solution until now. In order to perform an AssumeRoleWithSAML operation, the principal ARN and role ARN must be specified.

Are you saying we can extract this information from the response here?

@jspc
Copy link
Contributor Author

jspc commented Aug 7, 2018

Yep- the SAML body contains ARNs, take a look at:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html

(There are no anchors in that doc, search for An Attribute element with the Name attribute set to https://aws.amazon.com/SAML/Attributes/Role)

@johananl
Copy link
Contributor

johananl commented Aug 7, 2018

Interesting. I'll take a look soon when I get to it. I'd definitely love to get rid of as much config as possible.

@jspc
Copy link
Contributor Author

jspc commented Aug 7, 2018 via email

@johananl
Copy link
Contributor

Fixed in #52.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants