- 最新
- 最多得票
- 最多評論
I'm not sure if/how the username comes through from Okta in the SAML assertion, but you can access various attributes from it in an IAM policy [1]. The username would generally be the SAML subject, so ${saml:sub}
is worth a try. You can use a tool like SAML Tracer to examine the response and determine which attribute is best [2].
There is additional AWS guidance on uniquely identifying SAML federated users here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html#CreatingSAML-userid and more general information about policy variables here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-infotouse
[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-saml
[2] https://developer.okta.com/docs/guides/saml-tracer/main/
相關內容
- AWS 官方已更新 1 年前
- AWS 官方已更新 1 年前