Configuration Example: BIG-IP APM as SAML IdP for Amazon Web Services

Useful links Creating Temporary Security Credentials for SAML Federation - AWS Security Token Service Giving Console Access Using SAML - AWS Security Token Service AWS Metadata File For more i...
Published Oct 02, 2015
Version 1.0
AWS
BIG-IP Access Policy Manager (APM)
cloud
security
Jacob_Newfield1's avatar
Jacob_Newfield1
Historic F5 Account
Jan 20, 2019

Hello,

The AWS SSO endpoint can consume multiple attribute values (roles) for attribute "; provided by the IdP assertion. The result being an AWS UI prompting the end-user to choose a role to sign in as. To support this use case on the BIG-IP APM as IdP you will need to accomplish the following for each IdP auth attempt:

1. Iterate through AD group membership
2. For every AD group associated with an AWS role, add the whole AWS role string to a list of AWS roles
3. Assign the AWS role list to a session variable
4. Assign the AWS role list session variable to the AWS role attribute in the IdP settings

Note: The final solution will be the configuration discussed in this article with the caveat of changing the variable assign action in the VPE logic and changing the AWS role's attribute value to the session variable in the IdP configuration object. I.e. this procedure is instead of "Assign AWS Roles (Basic)" and "Assign AWS Roles (Advanced)" from this article. hich could be referred to as "Assign AWS Roles (Advanced+)":

To accomplish steps 1-3, create a variable assign action in the VPE, or edit the existing one, just after AD query, with variable session.samlresource.aws.roles and the following VPE TCL expression:

set roles "|";
set groups [mcget {session.ad.last.attr.memberOf}];
foreach group $groups {
    switch -glob $group {
        "CN=[AD Group Name]*" {
            append roles " arn:aws:iam::[Account ]:role/[Role Name],arn:aws:iam::[Account ]:saml-provider/[IdP Name] |"
        }
        "CN=[AD Group Name]*" {
            append roles " arn:aws:iam::[Account ]:role/[Role Name],arn:aws:iam::[Account ]:saml-provider/[IdP Name] |"
        }
        "CN=[AD Group Name]*" {
            append roles " arn:aws:iam::[Account ]:role/[Role Name],arn:aws:iam::[Account ]:saml-provider/[IdP Name] |"
        }
    }
};
return $roles;

Note1: you will need to substitute values for [AD Group Name], [Account ], [Role Name] and [IdP Name] that are appropriate for your environment.

Note2: the space between '"' and 'arn:aws' in the VPE TCL expression is on purpose and important to leave as is.

Note3: the resulting roles string will be in format "| role | role | role |". The significance of this format comes from a BIG-IP as IdP feature introduced in BIG-IP v12.1.0 where each attribute value between the pipe characters will become an individual attribute value in the assertion. For example, the attribute value "| role | role | role |" for attribute name "; will become the following in the assertion:


    role
    role
    role

To accomplish step 4, within the IdP configuration object, create a SAML attribute with name https://aws.amazon.com/SAML/Attributes/Role, or edit the existing one, and value %{session.samlresource.aws.roles}.

Final note: I have proven this use case on BIG-IP as IdP and confirmed that the assertion generated by it contains the multi-attribute values appropriate for an AWS SSO endpoint to consume. However, I have yet to test it with an AWS SSO endpoint. If anyone implements this use case then a comment describing your experience (did it work? did it fail?) would be much appreciated.

Regards, Jacob