Configure Access Manager to access AWS Management Console using SAML federation and dynamically map LDAP (user store) group to AWS Role - Part 2


1. Introduction

In part 1 of this article, I have explained how Access Manager can be configured as a trusted Identity Provider to enable single sign on to AWS Management Console with a single Role (constant value) using SAML federation.

As you configure multiple roles in AWS based on your organizations’ requirement and you are managing a user’s identity and entitlement inside your organization, you must have some control to map your organization’s entitlement to AWS roles dynamically.

In this section, I will explain how you can map your organization’s AD groups to AWS IAM Roles.

2. Configuration

Follow Part 1 of this series to configure NetIQ Access manager as a trusted Identity Provider to POST SAML assertion (with a static role ARN) to AWS SSO end point.

The following configuration explains how the AD group and AWS IAM role can be mapped dynamically. This process will enable role based (AD group based) access to AWS Management Console.

2.1 Create AWS Roles
You have already created awsEC2FullAcess role as per the solution given in Part 1.

Now create IAM Roles for RDS Full Access, S3 Read Only, and S3 Full Access Roles.
Make sure you choose the proper IAM permission while creating the Roles.




2.2 Create Group in LDAP (User Store) and assign users to the group
Create the following Groups in LDAP (NAM User Store) and assign the end users to the groups as per your requirement. The group name should match with the AWS IAM Role names created in Section 2.1. Here, the following 4 groups are created in LDAP.

  1. awsEC2FullAccess

  • awsS3FullAccess

  • awsS3ReadOnly

  • awsRDSFullAccess

2.3 Develop Data Extension using Java
Read through the following link to understand the SAML response which IDP should POST to AWS SSO end point.

In case of multiple AWS roles (i.e. end user part of multiple LDAP group in section 2.6), AWS SSO end point expects “” attribute in following format:


You have to develop a data extension plugin to read the user’s group membership and create the AWS Role assertion attribute as follows:


NAM Developer Guide:

Java Source:

Follow the “Data Extension Example for External Attribute Source Policy” and understand the logic how to get data from external user store and return to NAM for further use.


I have attached a sample working code for the data extension plugin that reads the end user’s group membership and prepare list of group name start with “aws” and prepare Array of the following string and return to NAM.


Download Sample Code: DataExtensionForSAML--AWS

Open the project in eclipse. You will need the nxpe.jar file to compile from the source code. The nxpe.jar is available in your NetIQ Access manager’s IDP lib directory.

Compile the source code and export the data extension as a JAR file (eg. AWSRole.jar).

2.4 Create Policy Extensions in NAM

  1. Open Admin Console and go to Policies -> Extension and click on “Upload…” link.


  • Upload the JAR file build in Section 2.7


  • Click on the “New…” and create new extension policy by providing following information:

    Name: ExternalAttrSource_AWSRole
    Description: ExternalAttrSource_AWSRole
    Policy Type: Identity Server: External Attribute Source
    Type: Data
    Class Name: <Name of your factory class> (i.e.
    File Name: Choose JAR file you uploaded (i.e. AWSRole)

  • Open the Policy again and pass 4 parameters

    User Group: This is the list of user’s group membership in the NAM user store
    AWS User Group Prefix: AWS group identification (i.e. LDAP groups to Access AWS starts with aws)
    AWS Account Number: Your AWS account number.
    AWS Identity Provider: Name of your Identity Provider which was created in AWS (i.e. NAM-IDP)


  • Select the Extension policy and click on the “Distribute JARs” link. This will push the JAR file into IDP server. After distribute you need to restart the NAM-IDP service in the IDP servers.

  • Go to Policies -> Policies tab and create a policy named: ExternalAttrSource_AWSRole and select Type as Identity Server: External Attribute Source


    Click on New -> Fetch Attributes and put External Attribute Name as “AWSRole”.

    Select Value as Data Extension -> ExternalAttrSource_AWSRole

    Final policy should look like following:


  • Apply changes in IDP servers from admin console.

  • Go to idp-cluster -> General -> External Attributes tab and enable ExternalAttrSource_AWSRole

2.5 Create External Attribute
Go to Identity Servers -> Shared Settings and click on “Custom Attributes” tab.


Create a new Shared Secret Name by clicking “New” link under Shared Secret Names section.

Secret Name: ExternalAttrSource_AWSRole
Secret Entry Name: AWSRoles

Secret Name must match with Policy name created on section 2.4 (vi) and Secret Entry Name must match with attribute name given on section 2.4 (vi).

2.6 Create Attribute Set for AWS SAML Assertion
Go to Shared Setting -> Attribute Sets and create new attribute set “AmazonWebServices”.

  1. Map Remote Attribute “Role” to “ExternalAttrSource_AWSRole”.


2.7 Update SAML Service Provider setup in NAM
Go to IDP cluster, SAML 2.0 tab and open AmazonAWS service provider. Select Attribute Set: AmazonWebService and move available attributes from right box to left box.


Apply all changes to IDP.

3. Test

Open any browser and try to access https://<nam-idp-sso-url>/nidp/saml2/idpsend?id=aws URL.

  1. Login as user who is member of following LDAP groups:



How To-Best Practice
Comment List