Configure Access Manager to access AWS Management Console using SAML federation and dynamically map LDAP (user store) group to AWS Role using Virtual Attribute


1. Introduction

In part 1 of this article, I have explained how NetIQ Access Manager can be configured as a trusted Identity Provider to enable single sign on to AWS Management Console with a single Role (constant value) using SAML federation.

As you can configure multiple roles in AWS based on your organizations’ requirement and you are managing users identity and entitlement inside your organization. You must have some control to map your organization’s entitlement to AWS roles dynamically.

In this section I will explain how you can map your organization’s AD groups to AWS IAM Roles with the help of Attribute Retrieval and Transformation (Virtual Attribute).

Refer to the link below for more information:

2. Configuration

Follow Part 1 of this article to configure NetIQ Access manager as a trusted Identity Provider to POST SAML assertion (with a static role ARN) to AWS SSO end point.

The following configuration explains how the AD group (configured as Data Source) and AWS IAM role can be mapped dynamically. This process will enable role based (AD group based) access to AWS Management Console.

2.1 Create AWS Roles

You already created the awsEC2FullAcess role as per the solution given in Part 1 .

Now create IAM Roles for RDS Full Access, S3 Read Only, and S3 Full Access Roles. Make sure you choose proper IAM permissions while creating the Roles.




2.2 Create Group in LDAP (User Store) and assign users to the group

Create the following Groups in LDAP (NAM User Store) and assign the end users to groups as per your requirement. The group name should match with AWS IAM Role names created in Section 2.1. The following four groups are created in LDAP.

(i) awsEC2FullAccess

(ii) awsS3FullAccess

(iii) awsS3ReadOnly

(iv) awsRDSFullAccess

2.3 Create Data Source


In the Administration Console, click Devices -> Identity Server -> Shared Settings -> Data Sources.

(i) Click on the to add a data source.


(ii) Select Data Source as LDAP and fill up all the connection details and test the connectivity.



2.4 Create Attribute Source

In the Administration Console, click Devices -> Identity Server -> Shared Settings -> Virtual Attributes -> Attribute Source

(i) Click on to add an attribute source


(ii) Specify an attribute source Name, description of the attribute source. Select Data Source Name (which was created on step 2.3)

Provide input parameters: This is the input parameter name (P1) and it should contain any value (like user id, employee id, global id etc.) which can be used to uniquely identify the user from the Data Source you have created in step 2.3

In my example, I have given sAMAccountName as the unique identifier.

Provide query and output parameters: Specify an LDAP filter that must use the input details specified in Provide input parameters section.

In my example, NAM user store (i.e. IDP user store) and Data Source (i.e. User attribute Retrieval source) are the same and I would like to retrieve the user’s group membership to prepare AWS Role array using virtual attribute.

Filter: sAMAccountName=%P1%

Filter Output Name: memberOf


(iii) Once you have configured the Attribute Source, let's test the configuration by enabling “Show /Add Test Values?” checkbox. Provide the Test Value as a valid user id and click on Test button.


Provide the LDAP admin credentials which you have used while creating the Data Source in step 2.3.

You should get Test Result as Success and a list of group membership.


If you have any issues, please check the log at /opt/novell/nam/adminconsole/logs/catalina.out file on Admin Console server.

2.5 Create Virtual Attribute

In the Administration Console, click Devices -> Identity Server -> Shared Settings -> Virtual Attributes -> Virtual Attribute

(i) Click to create a virtual attribute.


(ii) Specify a name for the virtual attribute and description.

Configure Provider input parameters:

Name: P1

Parameter Value: memberOf

Configure Provide a modification function:

Select a function: Advanced: Javascript

Script: Copy and paste the following javascript and replace <AWS Account Number> with your AWS account number.

function main( P1 ){
return mapGroups(P1);

function mapGroups(attribute){
var result = [];
var role_arn ='arn:aws:iam::<aws account number>:role/'
var provider_arn =',arn:aws:iam::<aws account number>:saml-provider/NAM-IDP';
if(attribute instanceof Array){
var j =0;
for(var i=0; i<attribute.length; i ){
var grp = checkGroup(attribute[i]);
if( grp != 'NA')
result[j ] = role_arn grp provider_arn;
var grp = checkGroup(attribute);
if( grp != 'NA')
result[0] = role_arn grp provider_arn;
return result;

function checkGroup(group){
if(/^CN=aws.*,/.test(group) == true){
var startindex = 3;// it starts with cn
var endindex = group.indexOf(",");
return group.substring( startindex, endindex);
return 'NA';


This script does the following work for you:

  1. Loop through all memberOf attributes (i.e. group membership of user) and filter group name if starts with aws

  • Prepare Array of following String and return to virtual attribute



(iii) If you would like to test the script and attribute conversion, please enable the check box “Show / Add Test Values?”, add some group DN in the Test values field and click on the Test button.


If all configuration is good, you should get following Success Result.


2.6 Create Attribute Set for AWS SAML Assertion

Go to Shared Setting -> Attribute Sets and create new attribute set “AWS_ATTR_SET

(i) Map Remote Attribute “Role” to “Virtual Attribute:vaAWSRoleName”.


(ii) Map Remote attribute RoleSessionName to sAMAccountName



2.7 Update SAML Service Provider setup in NAM

Go to IDP cluster, SAML 2.0 tab, and open AmazonAWS service provider. Select Attribute Set: “AWS_ATTR_SET” and move available attributes from right box to left box.


Apply all changes to IDP.

3. Test

Open any browser and try to access https://<nam-idp-sso-url>/nidp/saml2/idpsend?id=aws URL.

(i) Login as user who is member of following LDAP groups:







How To-Best Practice
Comment List
Parents Comment
  • Using Virtual attribute solution, you can only get group membership of user. If you need to get AD nested group, you need to query AD group and get all nested groups. I have posted another solution to integrate with AWS using external attribute. I have also given one sample DataExtension code sample on that solution. Please download the project and modify the code as per your requirement and prepare Array of the following string:

    Please let me know if that help.
No Data