Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
documentation:latest:applications:aws [2018/01/16 11:15]
coudot created
documentation:latest:applications:aws [2018/03/23 07:05] (current)
Line 1: Line 1:
 ====== Amazon Web Services ====== ====== Amazon Web Services ======
  
-[[https://​aws.amazon.com|Amazon Web Services]] allows to delegate authentication through SAML2.+[[https://​aws.amazon.com|Amazon Web Services]] allows ​one to delegate authentication through SAML2.
  
 ===== SAML ===== ===== SAML =====
Line 35: Line 35:
  
   * Assuming you use the web interface to manage lemonldap, go to General Parameters -> Authentication parameters -> LDAP parameters -> Exported variables. Here set the key to the LDAP attribute and the value to something sensible. I keep them the same to make it easy.   * Assuming you use the web interface to manage lemonldap, go to General Parameters -> Authentication parameters -> LDAP parameters -> Exported variables. Here set the key to the LDAP attribute and the value to something sensible. I keep them the same to make it easy.
-  * Now go to *Variables -> Macros*. ​ Here set up variables which will be computed based on the attributes you exported above. ​ You will need to emit strings in this format ''​arn:​aws:​iam::​account-number:​role/​role-name1,​arn:​aws:​iam::​account-number:​saml-provider/​provider-name''​. The parts you need to change are ''​account-number'',​ ''​role-name1''​ and ''​provier-name''​. The last two will be the provider name and role names you just +  * Now go to *Variables -> Macros*. ​ Here set up variables which will be computed based on the attributes you exported above. ​ You will need to emit strings in this format ''​arn:​aws:​iam::​account-number:​role/​role-name1,​arn:​aws:​iam::​account-number:​saml-provider/​provider-name''​. The parts you need to change are ''​account-number'',​ ''​role-name1''​ and ''​provier-name''​. The last two will be the provider name and role names you just set up in AWS.
-set up in AWS.+
   * Perl works in here, so something like this is valid: ​ ''​aws_eu_role''​ ->  ''​$ou =~ sysadmin ? "​arn:​aws..."​ : "​arn:​..."''​   * Perl works in here, so something like this is valid: ​ ''​aws_eu_role''​ ->  ''​$ou =~ sysadmin ? "​arn:​aws..."​ : "​arn:​..."''​
   * If it easier, split multiple roles into different macros. ​ Then tie all the variables you define together into one string concatenating them  with whatever is in General Parameters -> Advanced Parameters -> Separator. Actually click into this field and move around with the arrow keys to see if there is a space, since spaces can be part of the separator.   * If it easier, split multiple roles into different macros. ​ Then tie all the variables you define together into one string concatenating them  with whatever is in General Parameters -> Advanced Parameters -> Separator. Actually click into this field and move around with the arrow keys to see if there is a space, since spaces can be part of the separator.