This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 95%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERL%3C/text%3E%3C/svg%3E)
I'm trying to figure out a way to use ADF S to authenticate and assume roles in an AWS multiaccount environment using a BI application and JDBC as the frontend components which authenticate to AD and AD FS.
We've set this up to work with one hardcoded AWS account. We have AD FS setup to pull an AD attribute which matches the name of an AWS-based role, then it's passed to a claim that looks like this:
c:[Type == "http://temp/variable"]
=> issue(Type = "https://aws.amazon.com/SAML/Attributes/Role", Value = "arn:aws:iam::111111111111:saml-provider/rdms-adfs,arn:aws:iam::111111111111:role/" + c.Value);
Our environment has Dev, Test, and Prod installations of the BI app and JDBC connectors. We'd like the to be able to use one AD FS instance, and then grab an STS token in corresponding Dev, Test, and Prod AWS accounts.
Is it possible for this to be done? Could the BI app/JDBC connector pass a value to ADFS to include in a claim, or can AD FS use an if/then statement based on the source requesting authentication?
I am running AD FS on Windows Server 2012 R2.
Thank you
I am not sure how the BI app and JDBC connectors are relevant to the question.
You can issue whatever claim you want given you have a way to get it from an attribute store (AD, LDAP or SQL) and/or you can calculate it from an existing claim.