AWS SAML COnfiguration

Discussion in 'Other Courses & Certifications' started by Pavan_2289, Jan 18, 2017.

  1. Pavan_2289

    Pavan_2289 Member
    Alumni

    Joined:
    Dec 19, 2016
    Messages:
    2
    Likes Received:
    0
    Hi,

    I was stuck in implementing AWS with SAML ADFS.
    Below are the steps I have executed.

    1. Created Identity provider in AWS console with SAML Metadata(IDP).

    2. Created a role with name ADMIN1 and given web SSO SAML and attached policy AWSEC2fullAccess

    3. I have added rely trust with AWS Metadata

    4. Claim rules are

    1. NameId

    Select Transform an Incoming Claim

    a. Claim rule name: NameId
    b. Incoming claim type: Windows Account Name
    c. Outgoing claim type: Name ID
    d. Outgoing name ID format: Persistent Identifier
    e. Pass through all claim values: checked

    2. RoleSessionName:

    Send LDAP Attributes as Claims

    a. Claim rule name: RoleSessionName
    b. Attribute store: Active Directory
    c. LDAP Attribute: E-Mail-Addresses
    d. Outgoing Claim Type
    : https://aws.amazon.com/SAML/Attributes/RoleSessionName

    3. Adding Role Attributes
    Send Claims Using a Custom Rule
    Get AD Groups
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("http://temp/variable"), query = ";tokenGroups;{0}", param = c.Value);

    4. Roles
    c:[Type == "http://temp/variable", Value =~ "(?i)^AWS-"]
    => issue(Type = "https://aws.amazon.com/SAML/Attributes/Role", Value = RegExReplace(c.Value, "AWS-", "arn:aws:iam::580591213396:saml-provider/SAML,arn:aws:iam::580591213396:role/Admin1"));

    5. Access the URL https://msi-vmcd2wap05.metricstream.com/adfs/ls/IdpInitiatedSignOn.aspx

    and I gave my used ID pavan391987 which is authenticated and when I choose AWS to open AWS console I am getting Invalid response.

    Error:
    <samlp:Response ID="_ef566813-b362-4ccd-8396-b57127df8e27"
    Version="2.0"
    IssueInstant="2017-01-17T11:30:45.568Z"
    Destination="https://signin.aws.amazon.com/saml"
    Consent="urn:eek:asis:names:tc:SAML:2.0:consent:unspecified"
    xmlns:samlp="urn:eek:asis:names:tc:SAML:2.0:protocol"
    >
    <Issuer xmlns="urn:eek:asis:names:tc:SAML:2.0:assertion">http://msi-vmcd2wap05.metricstream.com/adfs/services/trust</Issuer>
    <samlp:Status>
    <samlp:StatusCode Value="urn:eek:asis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <Assertion ID="_3b1a9ebd-61fe-4c2e-bfa4-4eb06b5b579e"
    IssueInstant="2017-01-17T11:30:45.567Z"
    Version="2.0"
    xmlns="urn:eek:asis:names:tc:SAML:2.0:assertion"
    >
    <Issuer>http://msi-vmcd2wap05.metricstream.com/adfs/services/trust</Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
    <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
    <ds:Reference URI="#_3b1a9ebd-61fe-4c2e-bfa4-4eb06b5b579e">
    <ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
    <ds:DigestValue>At3nTbpnZHwGFJ4ZcNXaXaFpsIqjbsb/ChLsC//9MIQ=</ds:DigestValue>
    </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>TuS3MRjDaMY3Ap44fW1d7D1q0dusytJ5zQjikIB5nqrXsCGvhOkOdMJukjG9GPyvYHKYh7mSvAvRQ8tjE+EEcVqsghmIkKGg/8CskBroeDDgT9TfZ8i+ma0BCQH4vQ8x7in8LO9oW3NS0BIbRosqABoIxdeNRsjIkfmr0rasaNp864vOYNd7PF5rxVBu2E2wh+aURyBtG+l19rcLpfSd33iogNl1Z0HzvdEcap7LHlkVbNtUTpi47cAArDVKO+mfob/je3zoNSOu9nl8itMdigitYg7wL7bLkEbtnx3rBnRhPJvCjchsRki+vJlVAPDVnxFZVOUzk5FTHxC9mg5Luw==</ds:SignatureValue>
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
    <ds:X509Data>
    <ds:X509Certificate>MIIC+jCCAeKgAwIBAgIQJYnMuxYLIpxJmfWCvSILHTANBgkqhkiG9w0BAQsFADA5MTcwNQYDVQQDEy5BREZTIFNpZ25pbmcgLSBtc2ktdm1jZDJ3YXAwNS5tZXRyaWNzdHJlYW0uY29tMB4XDTE2MDcwOTA0NTkyNVoXDTE3MDcwOTA0NTkyNVowOTE3MDUGA1UEAxMuQURGUyBTaWduaW5nIC0gbXNpLXZtY2Qyd2FwMDUubWV0cmljc3RyZWFtLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKpHidVPXlQgWbkupmeGN4FIzQZoPf0XoPr621+6Og8Et1/NSt4bBztQvAgAWoxYrwMnvDIWuraAk9Ddubl3JzxIybPGihdm3umDs/TDQ/tct3iiTjSsGGX5p4/lQi+lvNcnR8W6MzzLGNOPqJHPJkJoUKG4DWE1OzYcmB+RAIjK86sGQQtD1v6HED4b1OFFObU0PQg6c+Xk0DtbY5rGTI25lhkEHWknYwTkEAbEGyuZAdEZL+dmfM2e5RRrjaxTDNW98SVrtdCiBwJeYBtC2G7sIURqgQqYwnbbaTBIn8fYBrotSgwhZ59W+804cgd5OXNZvLoBVZw6SXn3YIkTobsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAleQSjOUGI2iXLYgNVR4I7ceZMaD1dnjuNAinUpFXPfy6+WIp9q/p55oTDjJ3Hml6R/lDglIRRY3Cuzy2IqkYMWJj0k9O01znWUoaCTJQygYPQ5QKp0N1CrO3XCmAhhEZB880jYWO5TU5h3iSmOqy/4Sj/eN9AVKcZNQAwwuauA93V0mOvSo539CTOGs4Qkkwn4sL3zkUnqJ9fSs9MMuBUjaw8vgoOnGKXnYWbsipemihtv+fjaHFymARs4rp3O4Qpv61q5sDUqtSV4qAHrNWLluSXUw+yHMly06Ar/ivYwdyutMIOz44dxS0vZ5ZPCaXq0mz3xnc+z7NxV+5jfdvFA==</ds:X509Certificate>
    </ds:X509Data>
    </KeyInfo>
    </ds:Signature>
    <Subject>
    <NameID Format="urn:eek:asis:names:tc:SAML:2.0:nameid-format:persistent">7-0\pavan391987</NameID>
    <SubjectConfirmation Method="urn:eek:asis:names:tc:SAML:2.0:cm:bearer">
    <SubjectConfirmationData NotOnOrAfter="2017-01-17T11:35:45.568Z"
    Recipient="https://signin.aws.amazon.com/saml"
    />
    </SubjectConfirmation>
    </Subject>
    <Conditions NotBefore="2017-01-17T11:30:45.563Z"
    NotOnOrAfter="2017-01-17T12:30:45.563Z"
    >
    <AudienceRestriction>
    <Audience>urn:amazon:webservices</Audience>
    </AudienceRestriction>
    </Conditions>
    <AttributeStatement>
    <Attribute Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName">
    <AttributeValue>pavan391987@gmail.com</AttributeValue>
    </Attribute>
    </AttributeStatement>
    <AuthnStatement AuthnInstant="2017-01-17T11:30:45.452Z"
    SessionIndex="_3b1a9ebd-61fe-4c2e-bfa4-4eb06b5b579e"
    >
    <AuthnContext>
    <AuthnContextClassRef>urn:eek:asis:names:tc:SAML:2.0:ac:classes:passwordProtectedTransport</AuthnContextClassRef>
    </AuthnContext>
    </AuthnStatement>
    </Assertion>
    </samlp:Response>

    Please help me where It is failing the above response I have taken using SAML tracer.
     
    #1

Share This Page