docs: update aws and gitlab docs
This commit is contained in:
parent
6966c119a7
commit
d696d854ff
|
@ -24,10 +24,49 @@ You can of course use a custom signing certificate, and adjust durations.
|
||||||
|
|
||||||
Create a role with the permissions you desire, and note the ARN.
|
Create a role with the permissions you desire, and note the ARN.
|
||||||
|
|
||||||
AWS requires two custom PropertyMappings; `Role` and `RoleSessionName`. Create them as following:
|
After you've created the Property Mappings below, add them to the Provider.
|
||||||
|
|
||||||
![](./property-mapping-role.png)
|
Create an application, assign policies, and assign this provider.
|
||||||
|
|
||||||
![](./property-mapping-role-session-name.png)
|
Export the metadata from passbook, and create an Identity Provider [here](https://console.aws.amazon.com/iam/home#/providers).
|
||||||
|
|
||||||
Afterwards export the metadata from passbook, and create an Identity Provider [here](https://console.aws.amazon.com/iam/home#/providers).
|
#### Role Mapping
|
||||||
|
|
||||||
|
The Role mapping specifies the AWS ARN(s) of the identity provider, and the role the user should assume ([see](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html#saml_role-attribute)).
|
||||||
|
|
||||||
|
This Mapping needs to have the SAML Name field set to "https://aws.amazon.com/SAML/Attributes/Role"
|
||||||
|
|
||||||
|
As expression, you can return a static ARN like so
|
||||||
|
|
||||||
|
```python
|
||||||
|
return "arn:aws:iam::123412341234:role/saml_role,arn:aws:iam::123412341234:saml-provider/passbook"
|
||||||
|
```
|
||||||
|
|
||||||
|
Or, if you want to assign AWS Roles based on Group membership, you can add a custom attribute to the Groups, for example "aws_role", and use this snippet below. Groups are sorted by name and later groups overwrite earlier groups' attributes.
|
||||||
|
|
||||||
|
```python
|
||||||
|
role_name = user.group_attributes().get("aws_role", "")
|
||||||
|
return f"arn:aws:iam::123412341234:role/{role_name},arn:aws:iam::123412341234:saml-provider/passbook"
|
||||||
|
```
|
||||||
|
|
||||||
|
If you want to allow a user to choose from multiple roles, use this snippet
|
||||||
|
|
||||||
|
```python
|
||||||
|
return [
|
||||||
|
"arn:aws:iam::123412341234:role/role_a,arn:aws:iam::123412341234:saml-provider/passbook",
|
||||||
|
"arn:aws:iam::123412341234:role/role_b,arn:aws:iam::123412341234:saml-provider/passbook",
|
||||||
|
"arn:aws:iam::123412341234:role/role_c,arn:aws:iam::123412341234:saml-provider/passbook",
|
||||||
|
]
|
||||||
|
```
|
||||||
|
|
||||||
|
### RoleSessionName Mapping
|
||||||
|
|
||||||
|
The RoleSessionMapping specifies what identifier will be shown at the top of the Management Console ([see](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html#saml_role-session-attribute)).
|
||||||
|
|
||||||
|
This mapping needs to have the SAML Name field set to "https://aws.amazon.com/SAML/Attributes/RoleSessionName".
|
||||||
|
|
||||||
|
To use the user's username, use this snippet
|
||||||
|
|
||||||
|
```python
|
||||||
|
return user.username
|
||||||
|
```
|
||||||
|
|
Binary file not shown.
Before Width: | Height: | Size: 65 KiB |
Binary file not shown.
Before Width: | Height: | Size: 66 KiB |
|
@ -19,6 +19,7 @@ Create an application in passbook and note the slug, as this will be used later.
|
||||||
- ACS URL: `https://gitlab.company/users/auth/saml/callback`
|
- ACS URL: `https://gitlab.company/users/auth/saml/callback`
|
||||||
- Audience: `https://gitlab.company`
|
- Audience: `https://gitlab.company`
|
||||||
- Issuer: `https://gitlab.company`
|
- Issuer: `https://gitlab.company`
|
||||||
|
- Binding: `Post`
|
||||||
|
|
||||||
You can of course use a custom signing certificate, and adjust durations. To get the value for `idp_cert_fingerprint`, you can use a tool like [this](https://www.samltool.com/fingerprint.php).
|
You can of course use a custom signing certificate, and adjust durations. To get the value for `idp_cert_fingerprint`, you can use a tool like [this](https://www.samltool.com/fingerprint.php).
|
||||||
|
|
||||||
|
@ -41,7 +42,7 @@ gitlab_rails['omniauth_providers'] = [
|
||||||
args: {
|
args: {
|
||||||
assertion_consumer_service_url: 'https://gitlab.company/users/auth/saml/callback',
|
assertion_consumer_service_url: 'https://gitlab.company/users/auth/saml/callback',
|
||||||
idp_cert_fingerprint: '4E:1E:CD:67:4A:67:5A:E9:6A:D0:3C:E6:DD:7A:F2:44:2E:76:00:6A',
|
idp_cert_fingerprint: '4E:1E:CD:67:4A:67:5A:E9:6A:D0:3C:E6:DD:7A:F2:44:2E:76:00:6A',
|
||||||
idp_sso_target_url: 'https://passbook.company/application/saml/<passbook application slug>/login/',
|
idp_sso_target_url: 'https://passbook.company/application/saml/<passbook application slug>/sso/binding/post/',
|
||||||
issuer: 'https://gitlab.company',
|
issuer: 'https://gitlab.company',
|
||||||
name_identifier_format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
|
name_identifier_format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
|
||||||
attribute_statements: {
|
attribute_statements: {
|
||||||
|
|
Reference in New Issue