How to use the SAML 2.0 and AD FS implementing API and CLI access control

By Alfred Kennedy,2015-02-07 13:28
63 views 0
How to use the SAML 2.0 and AD FS implementing API and CLI access control

    How to use the SAML 2.0 and AD FS implementing API

    and CLI access control

    AWS support the use of SAML (security assertions markup language) 2.0 joint for identity.Using SAML, you can configure your AWS account and your identity provider (IdP) integration.Once configured, your organization identity provider will be on your joint user authentication and authorization, then joint users can use the single sign-on method to login to the AWS management console.This can not only make your users from remembering another user name and password, and simplifies the administrator's identity management process.Joint users when you want to visit the AWS management console, this method is effective.But when they want to use the AWS CLI or programmatically calls AWS API, will be how?

    In this article, I will show you how to implement joint API and CLI for your users to access.This post provides an example using the AWS Python SDK tools and the integration of some additional client side code.If you have the user needs to this kind of access control, implementation of the program allows you to the management of the user at ease.

    Let's start quickly understand our goal.

    janedoe@Ubuntu64:/tmp$ ./

    Username: AD\janedoe

    Password: ****************

    Please choose the role you would like to assume:

    [ 0 ]: arn:aws:iam::012345678987:role/ADFS-Administrators

    [ 1 ]: arn:aws:iam::012345678987:role/ADFS-Operators

    Selection: 1


    Your new access key pair has been stored in the aws configuration

    file /home/janedoe/.aws/credentials under the saml profile.

    Note that it will expire at 2015-05-26T17:16:20Z.

    After this time you may safely rerun this script to refresh your

    access key pair.

    To use this credential call the aws cli with the --profile option

(e.g. aws --profile saml ec2 describe-instances).


    Simple API example listing all s3 buckets:

    [, , ,

    , ]

    From the above output, we clearly see?

    1. The system prompt joint user input Active Directory certificate (Active Directory).The certificate used to comparing with configuration of idps for user authentication and authorization.

    2. The system checks the returned SAML assertions, determine the user is authorized to undertake IAM identity and access management role.After the user selects her role expectations, the system use the AWS STS (security token service) to extract the temporary security certificate.

    3. The system automatically to these certificate written to her local AWS certification documents, she can start to make AWS API or CLI call instruction.

    4. Get the sample, sample customized for your organization to the later, you can keep the AWS IAM service provided by control at the same time, use the certificate organization to improve your ability and the degree of automation of AWS API and CLI interface.

    This post will focus on how to use Microsoft active directory (AD FS) joint service.But if you are using other suppliers of similar products, please don't be disappointed because of the basic components should be able to cooperate with other common idps.

    In order to be able to follow this post, you must have:

    An introduction to

    1. Use your organization certificate will AD the FS correctly with your AWS account integration, so that you can access the console.If you need to set up instructions, please refer toEnabling Federation to AWS using Windows Active Directory, ADFS, and SAML 2.0

    2. Has been in the local workstation installed the new version (2.36 or update) AWS Python SDK tools.

    3. To obtain the minimalAWS certification documents(for example: ~ /.

    Aws/credentials), adjust the content of the files in the following to your preferred area and output format.

    Important: the AWS access key for is not in the structure of the above configuration because the initial AWS STS call by trusted idps validated the returned SAML assertions./ CLI all subsequent API calls are made by the key contained in the AWS STS tokens to validate.Want to get more information, please refer toGiving AWS Console Access to Federated Users Using SAML

    First of all, you need to install the core does not belong to the Python distributions of two modules, specifically, is beautifulsoup4 and requests - NTLM.There are several ways to install the two modules, but the PIP contained in Python version 2.7.9 or update tool, for easy installation of the module.You just need to run the following two commands can be: [default]

    output = json

    region = us-west-2

    aws_access_key_id =

    aws_secret_access_key =

    First of all, run the following command:

    pip install beautifulsoup4

    Then run the following command:

    pip install requests-ntlm

    You should get some similar to the following screenshots output: