By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

SSO passing Group via Assertion

0

I am trying to pass the name of the Group to the SSO application. I found that I can use ${user:groups} and it passes the following:

 <saml2:Attribute Name="memberOf" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">ad.domain.int//S-1-2-34-984837712-606030259-670590003-12345</saml2:AttributeValue>;
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">ad.domain.int//S-1-2-34-984837712-606030259-670590003-12346</saml2:AttributeValue>;
   </saml2:Attribute>

Is there a way to pass the name of the group or just the GUID (S-1-2-34...), I have run across some services that don't allow the use of // in their fields.

Topics
Security, Identity, & Compliance
Tags
AWS IAM Identity Center
Language
English
cellsignal-sso-cdelcastillo
asked 2 years ago829 views
1 Answer
0

Hello,

Based on the shared information in the post, it looks like that you are using AD as identity source for AWS SSO.

Firstly, I would like to mention that the ${user:groups} is not officially endorsed and supported by AWS SSO.

Secondly, the currently supported attributes are mentioned below [1].

${user:AD_GUID}
${user:email}
${user:familyName}
${user:givenName}
${user:middleName}
${user:name}
${user:preferredUsername}
${user:subject}

Although, ${user:groups} not supported, ${user:groups} returns the GUUID but not the name itself. GUUID is the only possible value which can be returned right now as SSO does not support group level attributes.

A temporary workaround can be to retrieve the group name and then configure application attributes with that group name by string method itself, if that helps.

For example -

User Attribute in the application -> groups

Maps to this string value or use attribute in AWS SSO -> group-dev

Result -

<saml2:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance " xsi:type="xsd:string">group-dev</saml2:AttributeValue>
</saml2:Attribute>

However, please note that since this attribute is not dynamic, the same value will be sent for all the users who will federate into that application. As such, it might not be very helpful. But you can use the above specified method if constant group value helps.

That said, please note that group name is not contained in any attribute as of now. Although, there is an existing feature request for support of group attribute for AWS SSO. I have gone ahead and added your voice to this feature request. While I am unable to comment on if/when this feature may get released, I request you to keep an eye on our What's New [2] and Blog [3] pages for any new feature announcements.

References:

[1] https://docs.aws.amazon.com/singlesignon/latest/userguide/attributemappingsconcept.html#supportedssoattributes

[2] https://aws.amazon.com/new/

[3] https://aws.amazon.com/blogs/aws/

profile pictureAWS
SUPPORT ENGINEER
Yash_C
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content