By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

SourceIdentity with Identity Provider

0

Hi,

I am trying to follow this article to configure SourceIdentity with my Identity Provider (Azure Active Directory) integrated with AWS SSO (Identity Centre). https://aws.amazon.com/blogs/security/how-to-integrate-aws-sts-sourceidentity-with-your-identity-provider/

Though this article doesn't talk about Azure AD, within Azure AD under Enterprise Applications -> My AWS Application -> Single Sign on -> Attributes & Claim -> I have added a new claim with below details

Name: SourceIdentity Namespace: https://aws.amazon.com/SAML/Attributes Source: Attribute Source Attribute: user.displayName

If I then attempt to login with an IDP user to AWS SSO link and trace it with SAML trace on Google Chrome, in SAML response i can see attribute has been added

        <Attribute Name="https://aws.amazon.com/SAML/Attributes/SourceIdentity">
            <AttributeValue>MY-DISPLAY-NAME</AttributeValue>
        </Attribute>

However, I cannot find the field SourceIdentity in any event user is taking such as creating bucket or any other action for that sort.

I have tried to search around but cannot get this working. Any help will be appreciated.

Topics
Security, Identity, & Compliance
Tags
Security, Identity, & ComplianceAWS Identity and Access ManagementAWS IAM Identity Center
Language
English
rePost-User-5750032
asked a year ago708 views
3 Answers
0

Thank you for your reply. I have already seen both of these articles, is there anything specific do you think I should follow to get SourceIdentity working?

Integration from Azure to AWS is working and automatic user provisioning is working too. Only thing that I cannot find clear instruction is how to get SourceIdentity working. I am unable to see this field in any CloudTrail events.

rePost-User-5750032
answered a year ago
  • Gary Mclean EXPERT
    a year ago

    Right ok. Reading about it, it “may” only with if using IDP via iam. You’re using identity centre. I’m going to update my answer as there is an extra step but not sure if you should change the Idp settings in your account that’s used by identity centre.

  • Gary Mclean EXPERT
    a year ago

    Also why do you need to do this. The users name is usually in cloudtrail when actions are performed after using sso

0

Try following the identity instructions for azure ad here.

https://docs.aws.amazon.com/singlesignon/latest/userguide/azure-ad-idp.html

Microsoft instructions. https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/aws-single-sign-on-tutorial

This should get you up and going. Ping any questions over.

update

This may only work for Idp with iam and not aws sso identity centre. There is an extra step but I’m not sure you should modify the Idp that identity centre setups.

Why would you want to do this anyway as the users name is already in cloudtrail logs.

For the workforce identity or application to be able to define their source identity when they assume IAM roles, you must first grant them permission for the sts:SetSourceIdentity action, as illustrated in the sample policy document below. This will permit the workforce identity or application to set the SourceIdentity themselves without any need for manual intervention.

To modify an AWS IAM role trust policy

Log in to the AWS Management Console for your account as a user with privileges to configure an IdP, typically an administrator. Navigate to the AWS IAM service. For trusted identity, choose SAML 2.0 federation. From the SAML Provider drop down menu, select the IAM provider you created previously. Modify the role trust policy and add the SetSourceIdentity action. Sample policy document

This is a sample policy document attached to a role you assume when you log in to Account1 from the Okta dashboard. Edit your Account1/Role1 trust policy document and add sts:AssumeRoleWithSAML and sts:setSourceIdentity to the Action section.

profile picture
EXPERT
Gary Mclean
answered a year ago
0

I need to revoke sessions when IAM role chain happens. IAM roles created by SSO are read only and cannot be modified so I am unable to add following permission to them sts:setSourceIdentity as defined in https://aws.amazon.com/blogs/security/how-to-integrate-aws-sts-sourceidentity-with-your-identity-provider/ That means the propagation of attribute to next role will not happen.

Also, I cannot see within CloudTrail logs anywhere the SourceIdentity parameter, where as the article suggests it will be present in every action performed such as create bucket etc.

I am trying to understand if the article doesn't apply to SSO (Identity Center) integration with IdP?

rePost-User-5750032
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content