Skip to content
This repository has been archived by the owner on Feb 9, 2024. It is now read-only.

Latest commit

 

History

History
107 lines (71 loc) · 3.21 KB

README.md

File metadata and controls

107 lines (71 loc) · 3.21 KB

Retirement Announcement

At this point in time, we've decided to retire the aws-saml-broker project and place it into maintenance mode, and Trueaccord will no longer be managing and maintaining this project.

We'd like to extend a huge thanks and our gratitude to all of the contributors to this project that have helped us to get this project to where it is today and for accompanying us on this journey!

If you run into any issues with this project that you believe require attention or wish to enhance it, feel free to fork this repository however we may decide to delete this repository at a future point in time.

Original README

aws-saml-broker

Simple webapp that authenticates users over SAML and grants them temporary AWS credentials based on SAML attributes.

Building

Our build is based on a Dockerfile, however it should be straightforward to to install locally by inspecting the Dockerfile.

To pull a prebuilt image:

$ docker pull trueaccord/aws-saml-broker

To build the image from scratch:

$ docker build -t aws-saml-broker .

Configuring

Creating a gateway user

In AWS IAM console, create a new user, and download his AWS credentials. Click on the newly created user, choose 'Attach User Policy', select 'Custom Policy'. Name it broker-policy and set it to:

{"Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "iam:ListRoles",
      "sts:AssumeRole"
    ],
    "Resource": "*"
  }
]}

Note from the User Summary the ARN of this user.

Create roles for your users

Create as many roles as you need for your users with the permission policy that you need. For each role, edit the trust relationship to include the gateway user. The principal section should be:

  "Principal": {
    "AWS": "arn:aws:iam::your-gateway-user"
  },

For each role you create, note its ARN.

Setting conf/config.py

Save conf/sample_config.py as `conf/config.py' and edit accordingly to the instuctions in the file.

Your SAML metadata xml file should be in conf/metadata.xml (can be customized in the config)

The AWS access key and secret correspond to the gateway user. group_to_aws_role maps SAML groups to the ARNs of the roles you crate in the previous step.

Setting up Okta as an identity provider

aws-saml-broker works with any Identity Provider that speaks SAML. This section explains how to configure Okta to work with aws-saml-broker.

In Okta, add a new app using the 'Template SAML 2.0 App'. Set the Post Back URL to the URL the app will be serving from. If you are testing locally, enter http://localhost:5000.

Set Attribute Statements to email|${user.email}

Set Group Name to groups, and if you would like to filter your groups by some regular expression, enter it in Group Filter

Create the application and assign it people and/or groups. From the Sign On page download the Identity Provider metadata and save it in conf/metadata.xml.

Starting the webapp

docker run --rm -p 5000:5000 -v $PWD/conf:/server/conf aws-saml-broker

Visit http://localhost:5000/ and if it all works temporary credentials should appear on the screen (in a format suitable to pasting in ~/.aws/credentials for AWS CLI)