ADFS AWS Multiaccount Claims Rules

Richard Long 1 Reputation point
2021-03-24T22:42:55.65+00:00

I'm trying to figure out a way to use ADF S to authenticate and assume roles in an AWS multiaccount environment using a BI application and JDBC as the frontend components which authenticate to AD and AD FS.

We've set this up to work with one hardcoded AWS account. We have AD FS setup to pull an AD attribute which matches the name of an AWS-based role, then it's passed to a claim that looks like this:

c:[Type == "http://temp/variable"]
=> issue(Type = "https://aws.amazon.com/SAML/Attributes/Role", Value = "arn:aws:iam::111111111111:saml-provider/rdms-adfs,arn:aws:iam::111111111111:role/" + c.Value);

Our environment has Dev, Test, and Prod installations of the BI app and JDBC connectors. We'd like the to be able to use one AD FS instance, and then grab an STS token in corresponding Dev, Test, and Prod AWS accounts.

Is it possible for this to be done? Could the BI app/JDBC connector pass a value to ADFS to include in a claim, or can AD FS use an if/then statement based on the source requesting authentication?

I am running AD FS on Windows Server 2012 R2.

Thank you

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
953 questions
{count} votes