RichardLong-0366 avatar image
0 Votes"
RichardLong-0366 asked piaudonn commented

ADFS AWS Multiaccount Claims Rules

I'm trying to figure out a way to use ADF S to authenticate and assume roles in an AWS multiaccount environment using a BI application and JDBC as the frontend components which authenticate to AD and AD FS.

We've set this up to work with one hardcoded AWS account. We have AD FS setup to pull an AD attribute which matches the name of an AWS-based role, then it's passed to a claim that looks like this:

c:[Type == "http://temp/variable"]
=> issue(Type = "", Value = "arn:aws:iam::111111111111:saml-provider/rdms-adfs,arn:aws:iam::111111111111:role/" + c.Value);

Our environment has Dev, Test, and Prod installations of the BI app and JDBC connectors. We'd like the to be able to use one AD FS instance, and then grab an STS token in corresponding Dev, Test, and Prod AWS accounts.

Is it possible for this to be done? Could the BI app/JDBC connector pass a value to ADFS to include in a claim, or can AD FS use an if/then statement based on the source requesting authentication?

I am running AD FS on Windows Server 2012 R2.

Thank you

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I am not sure how the BI app and JDBC connectors are relevant to the question.

You can issue whatever claim you want given you have a way to get it from an attribute store (AD, LDAP or SQL) and/or you can calculate it from an existing claim.

0 Votes 0 ·

0 Answers