Difference between revisions of "SAML Role Attribute"
(4 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
+ | |||
+ | |||
+ | == AWS SAML Role Attribute == | ||
+ | https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html | ||
+ | |||
+ | You can use an Attribute element with the Name attribute set to https://aws.amazon.com/SAML/Attributes/Role. This element contains one or more AttributeValue elements that list the IAM identity provider and role to which the user is mapped by your IdP. The [[IAM role]] and [[IAM identity provider]] are specified as a comma-delimited pair of ARNs in the same format as the RoleArn and PrincipalArn parameters that are passed to <code>[[AssumeRoleWithSAML]]</code>. This element must contain at least one role-provider pair (AttributeValue element), and can contain multiple pairs. If the element contains multiple pairs, then the user is asked to choose which role to assume when they use WebSSO to sign into the AWS Management Console. | ||
+ | |||
+ | Important | ||
+ | The value of the Name attribute in the Attribute tag is case-sensitive. It must be set to https://aws.amazon.com/SAML/Attributes/Role exactly. | ||
+ | |||
+ | <Attribute Name="https://aws.amazon.com/SAML/Attributes/Role"> | ||
+ | <AttributeValue>arn:aws:iam::account-number:role/role-name1,arn:aws:iam::account-number:saml-provider/provider-name</AttributeValue> | ||
+ | <AttributeValue>arn:aws:iam::account-number:role/role-name2,arn:aws:iam::account-number:saml-provider/provider-name</AttributeValue> | ||
+ | <AttributeValue>arn:aws:iam::account-number:role/role-name3,arn:aws:iam::account-number:saml-provider/provider-name</AttributeValue> | ||
+ | </Attribute> | ||
* Read: https://forums.aws.amazon.com/thread.jspa?messageID=632472򚚘 | * Read: https://forums.aws.amazon.com/thread.jspa?messageID=632472򚚘 | ||
Line 6: | Line 21: | ||
* [[SAML response]] | * [[SAML response]] | ||
* [[Attribute]]s | * [[Attribute]]s | ||
− | https://aws.amazon.com/SAML/Attributes/Role | + | * https://aws.amazon.com/SAML/Attributes/Role |
== See also == | == See also == |
Latest revision as of 10:17, 30 November 2021
AWS SAML Role Attribute[edit]
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html
You can use an Attribute element with the Name attribute set to https://aws.amazon.com/SAML/Attributes/Role. This element contains one or more AttributeValue elements that list the IAM identity provider and role to which the user is mapped by your IdP. The IAM role and IAM identity provider are specified as a comma-delimited pair of ARNs in the same format as the RoleArn and PrincipalArn parameters that are passed to AssumeRoleWithSAML
. This element must contain at least one role-provider pair (AttributeValue element), and can contain multiple pairs. If the element contains multiple pairs, then the user is asked to choose which role to assume when they use WebSSO to sign into the AWS Management Console.
Important The value of the Name attribute in the Attribute tag is case-sensitive. It must be set to https://aws.amazon.com/SAML/Attributes/Role exactly.
<Attribute Name="https://aws.amazon.com/SAML/Attributes/Role"> <AttributeValue>arn:aws:iam::account-number:role/role-name1,arn:aws:iam::account-number:saml-provider/provider-name</AttributeValue> <AttributeValue>arn:aws:iam::account-number:role/role-name2,arn:aws:iam::account-number:saml-provider/provider-name</AttributeValue> <AttributeValue>arn:aws:iam::account-number:role/role-name3,arn:aws:iam::account-number:saml-provider/provider-name</AttributeValue> </Attribute>
Related[edit]
See also[edit]
- SAML, IdP, AWS SAML, AWS IAM, AWS SAML endpoint,
SAML:EduPersonOrgDN, SAML Role Attribute, assume-role-with-saml
- SAML, IdP, Assertion, Attribute, SCIM, Amazon Cognito, OpenID Connect (OIDC), SAML response,
SAML:EduPersonOrgDN
, Assertion Consumer Service (ACS), SAML examples,Entity ID
,Name ID
,SAMLResponse, saml-provider, saml2aws
,aws_iam_saml_provider
Advertising: