Recursive MemberOF

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Recursive MemberOF

vklavi
Hi!

I am trying to use Shibboleth IDP to enable SSO with AWS (multiply accounts).
Now I am using sourceAttributeID="memberOf", to determine if user can login to specific account. The problem is, that sourceAttributeID="memberOf" does not check the user's membership in subgroups.
E.G.: I have USER_A inside group GROUP_A, the GROUP_A is member of group UPPER_GROUP_A. So when I am trying to list users inside UPPER_GROUP_A, I cannot see the USER_A.

In other words, how can I use sourceAttributeID="memberOf" to list the users, that are member of subgroups in existing group?
Reply | Threaded
Open this post in threaded view
|

Re: Recursive MemberOF

martinb_peninsula
I am attempting to do the same exact recursive memberOf for AWS.
I have many users in many groups that I need to add to an AWS group, AD does not by default recursivly pull MemberOf, see Powershell examples. Even in powershell, you have to get the MemberOf, then get-ADGroup on each group returned. I am skeptical that Shibboleth has built-in functionality for this.
Reply | Threaded
Open this post in threaded view
|

Re: Recursive MemberOF

martinb_peninsula
I found this: Generate eduPersonAffiliation based on recursive group membership in Active Directory, where the example uses another dataConnector to recursively query AD for groups. I'll be testing this out and will post my results.
Reply | Threaded
Open this post in threaded view
|

Re: Recursive MemberOF

martinb_peninsula
I was able to get this to work. I had to change a few attributes before the additional ldap connector would work.

The formating in the link above for the dataConnector can't be copied/pasted into the xml, the first dataConnector line had to be on the same line.
Then, searchTimeLimit had to be set to "0". My distinguishedName attributeDefinition had to be lowercase for the sourceAttributeID as well.


My awsRoles attributeDefinition looks like this
<resolver:AttributeDefinition id="awsRoles" xsi:type="ad:Mapped">
          <resolver:Dependency ref="memberOf"/>
          <resolver:AttributeEncoder
            xsi:type="enc:SAML2String"
            name="https://aws.amazon.com/SAML/Attributes/Role" friendlyName="RoleEntitlement" />
          <ad:ValueMap>
            <ad:ReturnValue>arn:aws:iam::[your-id]:saml-provider/YOUR-IDP,arn:aws:iam::[your-id]:role/PSD-IDP-$1</ad:ReturnValue>
            <ad:SourceValue>CN=AWS-([^,]*),.*</ad:SourceValue>
          </ad:ValueMap>
</resolver:AttributeDefinition>

I can successfully log into Amazon, where AWS groups only have members that are other groups. The attributeDefinition correctly returns recursive memberOf.

The only issue is in my idp-warn.log it says mergeResults property no longer supported and should be removed. I haven't tested without this attribute.