I am trying to use Shibboleth IDP to enable SSO with AWS (multiply accounts).
Now I am using sourceAttributeID="memberOf", to determine if user can login to specific account. The problem is, that sourceAttributeID="memberOf" does not check the user's membership in subgroups.
E.G.: I have USER_A inside group GROUP_A, the GROUP_A is member of group UPPER_GROUP_A. So when I am trying to list users inside UPPER_GROUP_A, I cannot see the USER_A.
In other words, how can I use sourceAttributeID="memberOf" to list the users, that are member of subgroups in existing group?
I am attempting to do the same exact recursive memberOf for AWS.
I have many users in many groups that I need to add to an AWS group, AD does not by default recursivly pull MemberOf, see Powershell examples. Even in powershell, you have to get the MemberOf, then get-ADGroup on each group returned. I am skeptical that Shibboleth has built-in functionality for this.
I was able to get this to work. I had to change a few attributes before the additional ldap connector would work.
The formating in the link above for the dataConnector can't be copied/pasted into the xml, the first dataConnector line had to be on the same line.
Then, searchTimeLimit had to be set to "0". My distinguishedName attributeDefinition had to be lowercase for the sourceAttributeID as well.