By using AWS re:Post, you agree to the Terms of Use
/Unable to map AWS SSO Attributes to SAML Assertion values/

Unable to map AWS SSO Attributes to SAML Assertion values

0

Hi,

I am sending the following user level attributes as part of SAML assertion from Okta.

Attribute 1 name: https://aws.amazon.com/SAML/Attributes/AccessControl:team 
Attribute 1 value: user.team
Attribute 2 name: https://aws.amazon.com/SAML/Attributes/AccessControl:Division 
Attribute 2 value: user.division

Below are configured Attributes for access control in SSO (tried many combinations):

Key Value
team	${path:team}
Division	${path:division}
ad	${path:appdiv}
Mteam	${path:user.team}
MDivision	${path:user.division}
Mname	${path:name.givenName}

Cloud trail history entry for SAML:

“requestParameters": {
        "sAMLAssertionID": "_1f0a7019-a9bb-461d-afc3-4e468e29f36c",
        "roleSessionName": "saxxxxxla@xxxx.com ",
        "principalTags": {
            "MDivision": "",
            "Mname": "Sandeep",
            "Mteam": "",
            "Division": "",
            "team": "",
            "ad":""
        },

Cannot see team and Division getting populated

Used SAML tracer to see assertion detail going from Okta to AWS: Okta is sending Attributes with values populated

Any thoughts on where am I going wrong?

Thanks

2 Answers
0

I'm wondering if it's because attributes for access control have a list of supported attributes.

From documentation, "The following table lists all external identity provider (IdP) attributes that are supported and that can be mapped to attributes you can use when configuring Attributes for access control in AWS SSO. When using SAML assertions, you can use whichever attributes your IdP supports."

https://docs.aws.amazon.com/singlesignon/latest/userguide/attributemappingsconcept.html#supportedidpattributes

Could you try ${path:enterprise.division} and see if that works?

Examples of supported values: ${path:enterprise.employeeNumber} ${path:enterprise.costCenter} ${path:enterprise.organization} ${path:enterprise.division} ${path:enterprise.department} ${path:enterprise.manager.value}

jsonc
answered 2 days ago
0

Just delete all configured attributes from Attributes for access control in the AWS web console. It will just works with SAML assertions.

posquit0
answered a day ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions