Host name value in Custom Identity Provider

The hostname for your server created using a PUBLIC endpoint is:
<server-id>.server.transfer.<region>.amazonaws.com
so it looks like:
s-xxxxxx.server.transfer.us-east-1.amazonaws.com

If you are using the Console, we create a CNAME record from your custom hostname to the server hostname above. To learn more about how we do this, refer to the docs below:
https://docs.aws.amazon.com/transfer/latest/userguide/requirements-dns.html
Alternatively you can map any custom hostname (and any number of them) yourself by pointing them to resolve to the server hostname above.

Let me know if this answers your question

Thanks

Thanks, that helps.

Do you know if it is possible to get the custom hostname value used to connect to the server inside the Custom Identity Provider?

We work with multiple clients who would like the appearance of their own SFTP server and that custom hostname would serve as a sort of user context. The user could potentially have access to different user contexts. We would prefer that the same user (userid, password) could be used to access different sites. But their home folder visibility under each one should be specific to the context they log in to.

For example user1 has access to sftp.site1.com and sftp.site2.com. We don't want the user to have to manage separate accounts/passwords for site1 and site2. At the same time, we would rather avoid the user having the same home folder, and have to manually separate their files by using subfolders like /site1 and /site2.

So the desired behaviour would be, the user logs into site1, the custom auth identifies the login was from site1 and maybe sets their home directory to be /site1/user1/. If they log into site2, then similarily they would have a home directory of /site2/user1/. While the user has access to both sites, their data should not really mix together, so that is why we were hoping to avoid simply using subfolders like /site1 and /site2 within a single home directory.

Can you think of any way we could accomplish something like this?

Edited by: TTF2019 on Apr 15, 2019 4:40 AM

In addition to accessing the hostname in the custom identity provider, we would see value in being able to identify the hostname that was used to upload a file.

We will be using the Metadata 'user-agent-id' on the s3 object to determine who uploaded the file and it would be great if another Metadata field could include the hostname used for the upload.

Heck, maybe the public IP address of the uploader could be added to the Metadata too?

Maybe even better if the custom identity provider could return values during auth to be added to the metadata of uploaded files by that authenticated user.

That's an interesting use case of contextual access for an authenticated user. The details are helpful. If i'm understanding correctly any context would be helpful - even source IP address of the end user?

Yeah I started with hostname with the idea that a username could be unique, per hostname, rather than require a globally unique username. With no other available info the identity provider has to maintain a single globally unique user pool of usernames.

The IP would be of interest for audit logging, and possibly a manual implementation of Account locking or brute force attack monitoring, but I believe that AWS may already be working on whitelisting support? If true, the IP might be of more interest in the s3 object metadata for a bit of an audit trail.

For anyone else that may be looking at this, it appears aws has added the ability to get the sourceIP value within the custom identity provider lambda function.

https://aws.amazon.com/about-aws/whats-new/2020/06/aws-transfer-family-enables-source-ip-as-a-factor-for-authorization/

It appears that getting the hostname is still not supported.