Shibboleth IdP for AWS Transfer Family


In HigherEd, Shibboleth is popular as an IdP. How do I use my Shibboleth IdP to authenticate SFTP end users for my SFTP server in AWS Transfer Family? From the documentation, it seems that I need a Lambda function and I see examples for Okta. Similar for Shibboleth? Anybody has this working with Shibboleth?

asked 4 days ago36 views
1 Answer

I haven't used Shibboleth, but the examples for Okta simply extract the username, password, and in the MFA-enabled example, the one-time password (OTP) included with the password, from the input that AWS Transfer provides to the Lambda function, followed by the Lambda function making a request to Okta asking "is this username/password (+MFA) pair okay?"

The same approach will work with any IdP that supports authenticating with a username/password pair and optionally a one-time password that the user would include in their password.

It would be up to you to adjust the Lambda code to validate the credentials against an API provided by your IdP. In the Okta template (, the username and password are accepted as simple input directly from the event from the AWS Transfer server:

username = event["username"]
password = event["password"]

and those credentials are checked against the Okta API endpoint in the auth_with_okta function:

credentials = {"username": user_name, "password": password}
req = request.Request(url="${OKTAAuthAPIURL}", data=json.dumps(credentials).encode('utf-8'), headers=headers)
resp = request.urlopen(req)"Okta response: [{}]".format(resp.status))
return resp.status

which returns HTTP 200 if the credentials were valid and an error response otherwise, based on which the Lambda function returns a successful login response or a rejection to the Transfer server:

if status_code == 200:
    home_directory = "${AWSTransferS3Bucket}" + "/" + username + "/"
    response["Role"] = "${TransferS3Access.Arn}"
    response["HomeDirectory"] = "/" + home_directory

    # Optional JSON blob to further restrict this user's permissions
    response["Policy"] = """Message: {}".format(response))
else:"Failed to authenticate user [{}] with Okta. Received status code of {}".format(get_full_username(username), status_code))
Leo K
answered 4 days ago
profile picture
reviewed 4 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions