Host name value in Custom Identity Provider

0

Does anyone know if it is possible to get the hostname used to connect to the SFTP inside the Custom Identity Provider?

The host name is something that could be used in the authentication process.

Also, the documentation suggests that multiple hostname(s) are possible. However, the examples I've seen suggest the config of only one. Are multiple hostnames suppported for a single SFTP server?

Thanks.

TTF2019
asked 4 years ago11 views
8 Answers
0
Accepted Answer

Unfortunately that information is lost by the time it reaches the Lambda that queries your Custom Identity Provider. Are you trying to use custom hostnames for namespaces? There may be other was by putting it as a part of the user name and separating by underscores or hyphens?

answered 4 years ago
0

The hostname for your server created using a PUBLIC endpoint is:
<server-id>.server.transfer.<region>.amazonaws.com
so it looks like:
s-xxxxxx.server.transfer.us-east-1.amazonaws.com

If you are using the Console, we create a CNAME record from your custom hostname to the server hostname above. To learn more about how we do this, refer to the docs below:
https://docs.aws.amazon.com/transfer/latest/userguide/requirements-dns.html
Alternatively you can map any custom hostname (and any number of them) yourself by pointing them to resolve to the server hostname above.

Let me know if this answers your question

Thanks

answered 4 years ago
0

Thanks, that helps.

Do you know if it is possible to get the custom hostname value used to connect to the server inside the Custom Identity Provider?

TTF2019
answered 4 years ago
0

We work with multiple clients who would like the appearance of their own SFTP server and that custom hostname would serve as a sort of user context. The user could potentially have access to different user contexts. We would prefer that the same user (userid, password) could be used to access different sites. But their home folder visibility under each one should be specific to the context they log in to.

For example user1 has access to sftp.site1.com and sftp.site2.com. We don't want the user to have to manage separate accounts/passwords for site1 and site2. At the same time, we would rather avoid the user having the same home folder, and have to manually separate their files by using subfolders like /site1 and /site2.

So the desired behaviour would be, the user logs into site1, the custom auth identifies the login was from site1 and maybe sets their home directory to be /site1/user1/. If they log into site2, then similarily they would have a home directory of /site2/user1/. While the user has access to both sites, their data should not really mix together, so that is why we were hoping to avoid simply using subfolders like /site1 and /site2 within a single home directory.

Can you think of any way we could accomplish something like this?

Edited by: TTF2019 on Apr 15, 2019 4:40 AM

TTF2019
answered 4 years ago
0

In addition to accessing the hostname in the custom identity provider, we would see value in being able to identify the hostname that was used to upload a file.

We will be using the Metadata 'user-agent-id' on the s3 object to determine who uploaded the file and it would be great if another Metadata field could include the hostname used for the upload.

Heck, maybe the public IP address of the uploader could be added to the Metadata too?

Maybe even better if the custom identity provider could return values during auth to be added to the metadata of uploaded files by that authenticated user.

TTF2019
answered 3 years ago
0

That's an interesting use case of contextual access for an authenticated user. The details are helpful. If i'm understanding correctly any context would be helpful - even source IP address of the end user?

answered 3 years ago
0

Yeah I started with hostname with the idea that a username could be unique, per hostname, rather than require a globally unique username. With no other available info the identity provider has to maintain a single globally unique user pool of usernames.

The IP would be of interest for audit logging, and possibly a manual implementation of Account locking or brute force attack monitoring, but I believe that AWS may already be working on whitelisting support? If true, the IP might be of more interest in the s3 object metadata for a bit of an audit trail.

TTF2019
answered 3 years ago
0

For anyone else that may be looking at this, it appears aws has added the ability to get the sourceIP value within the custom identity provider lambda function.

https://aws.amazon.com/about-aws/whats-new/2020/06/aws-transfer-family-enables-source-ip-as-a-factor-for-authorization/

It appears that getting the hostname is still not supported.

TTF2019
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions