Useful links

Two Attributes are required for the SAML Assertions to AWS

*Note – SAML sessions with AWS are only valid for up to 1 hour, for more information take a look at AssumeRoleWithSAML

Configuring the BIG-IP

Configure BIG-IP IdP Service

Create new External SP Connectors

Navigate to Access Policy > SAML > BIG-IP as IDP > External SP Connecotrs ,and Import the metadata from AWS and name it aws.amazon.com

*Note – The AWS metadata file can be found here AWS Metadata File

SAML_SP-Capture01

Create new IdP Service

Under Local IdP Services create the IdP service that will be used for IdP Initiated SAML with AWS

General Settings

SAML_IdP-Capture01

  • The IdP Service Name value is arbitrary and is used uniquely identify the configuration element
  • The IdP Entity ID value is used to uniquely identify this SAML resource within the Service Providers sso configuration

Assertion Settings

SAML_IdP-Capture02

  • The Assertion Subject Type is used by the Service Provider to identify the type and format of the Subject (Different SP’s have different requirements for this field, a majority of the time Entity Identifier or Unspecified will work)
  • The Assertion Subject Value contains the primary identifier of the user

SAML Attributes

There are two SAML attributes that are required for the SAML assertion. The first one is used to identify the Username that will be associated to the session and the second will identify the AWS Security Role that should be assigned to the session

Attribute Name Attribute Value
https://aws.amazon.com/SAML/Attributes/Role arn:aws:iam::[Account #]:role/%{session.samlresource.aws.role},arn:aws:iam::[Account #]:saml-provider/[IdP Name]
https://aws.amazon.com/SAML/Attributes/RoleSessionName %{session.logon.last.logonname}

 

SAML_IdP-Capture03

 

*Note – If you are having a hard time identifying your account number you can find it listed on the Identify Providers tab under Amazon Web Services > Identity & Access Management >  [IdP Name] after importing the metadata file for your Identify Provider

Security Settings

The security settings tab is used to identify the certificate that should be used to sign and verify the SAML Assertion.

SAML_IdP-Capture04

Bind SP Connector

Under Local IdP Services click the checkbox next to your newly created IdP service and select Bind/Unbind SP Connectors, search for the SP Connector you created earlier and click the checkbox next to it.

Export IdP Service Metadata

Under Local IdP Services click the checkbox next to your newly created IdP service and select Export Metadata. Store this file for later, it will be needed when we configure AWS.

Create new SAML Resource

Navigate to Access Policy > SAML > SAML Resource and Import the metadata from AWS and name it aws.amazon.com

SAML Resources are assigned to users within the APM visual policy editor, these resources can be assigned based on group membership or other logic.

SAML_Resource-Capture01

*Note – The Publish on Webtop checkbox is only required for Portal initiated SAML Assertions (IdP Initiated). 

Configure BIG-IP APM Access Policy

*Note – This section assumes you have already created the required APM Access Profile, if you need more information on creating an Access Profile please see Creating an access profile

VPE Initial Configuration

Typically when working with the Visual Policy Editor you will see a logical flow that looks similar to the image below. Users are presented with a login page that collects their credentials and then validates them against an authentication database of some type (In this case Active Directory).

SAML_VPE-Capture01

Update VPE to query for additional attributes

To enable VPE to intelligently assign AWS Security Role we need to update the configuration to use the AD Query resource object. This object will allow us to identify the group membership attributes of a user.

The only Required Attribute in this configuration is memberof

SAML_VPE-Capture02

Assign AWS Roles (Basic)

Step 1 – Group Membership

Following the successful AD Auth branch add the Empty resource object and set the branch rules to filter based on AD Group Membership

SAML_VPE-Capture02-5

SAML_VPE-Capture03

The expression logic should look similar to the snippet listed below

expr { [mcget {session.ad.last.attr.memberOf}] contains "CN=aws_SamlAdmin," }

Step 2 – Populate Assertion Roles

For each branch specified in Step 1 add a Variable Assign resource object. Each Variable Assign object should contain an entry specifying that the variable session.samlresource.aws.role will be set to a defined string of text.

*Note – the session.samlresource.aws.role maps to the variable we specified earlier in this document when creating the IdP Service

Assuming that you will assign three different groups the following maps should work

  • Administrator
    • session.samlresource.aws.role
    • SamlAdmin
  • Power User
    • session.samlresource.aws.role
    • SamlPowerUser
  • Read Only
    • session.samlresource.aws.role
    • SamlReadOnly

SAML_VPE-Capture04

SAML_VPE-Capture04-2

SAML_VPE-Capture04-1

After you create all of the required variables it should look similar to the screenshot below

SAML_VPE-Capture04-3

Assign AWS Roles (Advanced)

It is possible to achieve the same results above using a single resource object within the VPE, to do this we will use the Variable Assign resource object. The only difference is we will us conditional logic within the “Custom Expression” section when setting the variable value.

*Note – the session.samlresource.aws.role maps to the variable we specified earlier in this document when creating the IdP Service

Assuming that you will assign three different groups the following maps should work

  • Administrator
    • session.samlresource.aws.role
    • SamlAdmin
  • Power User
    • session.samlresource.aws.role
    • SamlPowerUser
  • Read Only
    • session.samlresource.aws.role
    • SamlReadOnly

SAML_VPE-Capture04

SAML_VPE-Capture05-1

SAML_VPE-Capture05-2

As you can see this results in a much simpler VPE policy

SAML_VPE-Capture05-3

Assign AWS SAML Resource

Now that we have created the logic to populate the appropriate variables we need to assign the SAML Resource, to do this we will use the Advanced Resource Assign object.

After adding the Advanced Resource Assign object add the SAML resource we created earlier and a webtop object.

SAML_VPE-Capture05

SAML_VPE-Capture07

SAML_VPE-Capture08

Now when users login to the Federation Portal they should see an Icon that will initiate a SAML Assertion to the AWS Management Console.

*Note 1 => The SAML assertion will be invalid until the AWS portion of this configuration is complete

*Note 2 => The VPE logic setup in the Assign AWS Roles (Advanced) section will display the AWS icon for all users regardless if they are in the right AD Security Groups. To only display the AWS icon for the appropriate groups additional VPE logic will be required.

Configure Amazon Web Services

Import Metadata File

After logging into the AWS Management Console browse to Amazon Web Services > Identity & Access Management >  Identify Providers and select Create Provider

*Note – This section assumes that you exported a copy of your metadata file after creating your IdP Service earlier.

SAML_AWS-Capture01

Configure AWS Security Roles

After importing your Identify Provider into the AWS Management Console browse to Amazon Web Services > Identity & Access Management >  Roles and select Create New Role.

*Note – You will need to repeat this section for each AWS Role you want to map to a different SAML Assertion attribute.

Set Role Name

The Role Name should map to the SAML Assertion value defined earlier when creating the VPE variables section

SAML_AWS-Capture02-1

Select Role Type

When specifying the Role Type expand Role for Identify Provider Access and select Grant Web Single Sign-On (WebSSO) access to SAML providers

SAML_AWS-Capture02-2

Establish Trust

Select the SAML Provider that you created earlier when importing the metadata file

SAML_AWS-Capture02-2_5

Attach Policy

This section is used to assign permissions to the session that will be created for the user during their SAML Session. In this snippet I searched for Administrator but you can also find policies for PowerUser and ReadOnly

SAML_AWS-Capture02-3

 

After saving your configuration you should now be able to initiate a SAML session from your IdP.