Configure Access Manager to access AWS Management Console using SAML federation and dynamically map LDAP (user store) group to AWS Role using Virtual Attribute

Configure Access Manager to access AWS Management Console using SAML federation and dynamically map LDAP (user store) group to AWS Role using Virtual Attribute

1. Introduction


 
In part 1 of this article, I have explained how NetIQ Access Manager can be configured as a trusted Identity Provider to enable single sign on to AWS Management Console with a single Role (constant value) using SAML federation.

As you can configure multiple roles in AWS based on your organizations’ requirement and you are managing users identity and entitlement inside your organization. You must have some control to map your organization’s entitlement to AWS roles dynamically.

In this section I will explain how you can map your organization’s AD groups to AWS IAM Roles with the help of Attribute Retrieval and Transformation (Virtual Attribute).

Refer to the link below for more information:

https://www.netiq.com/documentation/access-manager-42/admin/data/b1caobu1.html#userattributeretrievalandtransformation

2. Configuration


 
Follow Part 1 of this article to configure NetIQ Access manager as a trusted Identity Provider to POST SAML assertion (with a static role ARN) to AWS SSO end point.

The following configuration explains how the AD group (configured as Data Source) and AWS IAM role can be mapped dynamically. This process will enable role based (AD group based) access to AWS Management Console.

2.1 Create AWS Roles


 
You already created the awsEC2FullAcess role as per the solution given in Part 1 .

Now create IAM Roles for RDS Full Access, S3 Read Only, and S3 Full Access Roles. Make sure you choose proper IAM permissions while creating the Roles.

fig1

fig2

fig3


2.2 Create Group in LDAP (User Store) and assign users to the group


 
Create the following Groups in LDAP (NAM User Store) and assign the end users to groups as per your requirement. The group name should match with AWS IAM Role names created in Section 2.1. The following four groups are created in LDAP.

(i) awsEC2FullAccess

(ii) awsS3FullAccess

(iii) awsS3ReadOnly

(iv) awsRDSFullAccess

2.3 Create Data Source


 

In the Administration Console, click Devices -> Identity Server -> Shared Settings -> Data Sources.

(i) Click on the + to add a data source.

1

(ii) Select Data Source as LDAP and fill up all the connection details and test the connectivity.

2


 

2.4 Create Attribute Source


 
In the Administration Console, click Devices -> Identity Server -> Shared Settings -> Virtual Attributes -> Attribute Source

(i) Click on + to add an attribute source

3

(ii) Specify an attribute source Name, description of the attribute source. Select Data Source Name (which was created on step 2.3)

Provide input parameters: This is the input parameter name (P1) and it should contain any value (like user id, employee id, global id etc.) which can be used to uniquely identify the user from the Data Source you have created in step 2.3

In my example, I have given sAMAccountName as the unique identifier.

Provide query and output parameters: Specify an LDAP filter that must use the input details specified in Provide input parameters section.

In my example, NAM user store (i.e. IDP user store) and Data Source (i.e. User attribute Retrieval source) are the same and I would like to retrieve the user’s group membership to prepare AWS Role array using virtual attribute.

Filter: sAMAccountName=%P1%

Filter Output Name: memberOf

4

(iii) Once you have configured the Attribute Source, let's test the configuration by enabling “Show /Add Test Values?” checkbox. Provide the Test Value as a valid user id and click on Test button.

5

Provide the LDAP admin credentials which you have used while creating the Data Source in step 2.3.

You should get Test Result as Success and a list of group membership.

7

If you have any issues, please check the log at /opt/novell/nam/adminconsole/logs/catalina.out file on Admin Console server.

2.5 Create Virtual Attribute


 
In the Administration Console, click Devices -> Identity Server -> Shared Settings -> Virtual Attributes -> Virtual Attribute

(i) Click + to create a virtual attribute.

8

(ii) Specify a name for the virtual attribute and description.

Configure Provider input parameters:

Name: P1

Parameter Value: memberOf

Configure Provide a modification function:

Select a function: Advanced: Javascript

Script: Copy and paste the following javascript and replace <AWS Account Number> with your AWS account number.

function main( P1 ){
return mapGroups(P1);
}

function mapGroups(attribute){
var result = [];
var role_arn ='arn:aws:iam::<aws account number>:role/'
var provider_arn =',arn:aws:iam::<aws account number>:saml-provider/NAM-IDP';
if(attribute instanceof Array){
var j =0;
for(var i=0; i<attribute.length; i++){
var grp = checkGroup(attribute[i]);
if( grp != 'NA')
result[j++] = role_arn+grp+provider_arn;
}
}
else{
var grp = checkGroup(attribute);
if( grp != 'NA')
result[0] = role_arn+grp+provider_arn;
}
return result;
}

function checkGroup(group){
if(/^CN=aws.*,/.test(group) == true){
var startindex = 3;// it starts with cn
var endindex = group.indexOf(",");
return group.substring( startindex, endindex);
}
else
return 'NA';
}


 

This script does the following work for you:

  1. Loop through all memberOf attributes (i.e. group membership of user) and filter group name if starts with aws

  2. Prepare Array of following String and return to virtual attribute



"arn:aws:iam::<aws-account-number>:role/<group-name-starts-with-aws>,arn:aws:iam::<aws-account-number>:saml-provider/NAM-IDP"

9

(iii) If you would like to test the script and attribute conversion, please enable the check box “Show / Add Test Values?”, add some group DN in the Test values field and click on the Test button.

10

If all configuration is good, you should get following Success Result.

11

2.6 Create Attribute Set for AWS SAML Assertion


 
Go to Shared Setting -> Attribute Sets and create new attribute set “AWS_ATTR_SET

(i) Map Remote Attribute “Role” to “Virtual Attribute:vaAWSRoleName”.

12

(ii) Map Remote attribute RoleSessionName to sAMAccountName

13

 

2.7 Update SAML Service Provider setup in NAM


 
Go to IDP cluster, SAML 2.0 tab, and open AmazonAWS service provider. Select Attribute Set: “AWS_ATTR_SET” and move available attributes from right box to left box.

14

Apply all changes to IDP.

3. Test


 
Open any browser and try to access https://<nam-idp-sso-url>/nidp/saml2/idpsend?id=aws URL.

(i) Login as user who is member of following LDAP groups:

awsEC2FullAccess

awsS3ReadOnly

 

fig14

 
Labels (1)

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Comments
this is great, tried it and it works very well.
Is it possible to extend this to allow a user to be a member of an AD nested group which contains all the AWS groups he is a member of?
Using Virtual attribute solution, you can only get group membership of user. If you need to get AD nested group, you need to query AD group and get all nested groups. I have posted another solution to integrate with AWS using external attribute. I have also given one sample DataExtension code sample on that solution. Please download the project and modify the code as per your requirement and prepare Array of the following string:
“arn:aws:iam:::role/,arn:aws:iam:::saml-provider/NAM-IDP”

https://www.netiq.com/communities/cool-solutions/configure-access-manager-access-aws-management-console-using-saml-federation-dynamically-map-ldap-user-store-group-aws-role-part-2/

Please let me know if that help.
Is there a way to setup SAML federation for AWS CLI access? Thanks.
Top Contributors
Version history
Revision #:
3 of 3
Last update:
‎2020-01-31 22:05
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.