1. Introduction

 
In part 1 of this article, I have explained how NetIQ Access Manager can be configured as a trusted Identity Provider to enable single sign on to AWS Management Console with a single Role (constant value) using SAML federation.

As you can configure multiple roles in AWS based on your organizations’ requirement and you are managing users identity and entitlement inside your organization. You must have some control to map your organization’s entitlement to AWS roles dynamically.

In this section I will explain how you can map your organization’s AD groups to AWS IAM Roles with the help of Attribute Retrieval and Transformation (Virtual Attribute).

Refer to the link below for more information:

https://www.netiq.com/documentation/access-manager-42/admin/data/b1caobu1.html#userattributeretrievalandtransformation

2. Configuration

 
Follow Part 1 of this article to configure NetIQ Access manager as a trusted Identity Provider to POST SAML assertion (with a static role ARN) to AWS SSO end point.

The following configuration explains how the AD group (configured as Data Source) and AWS IAM role can be mapped dynamically. This process will enable role based (AD group based) access to AWS Management Console.

2.1 Create AWS Roles

 
You already created the awsEC2FullAcess role as per the solution given in Part 1 .

Now create IAM Roles for RDS Full Access, S3 Read Only, and S3 Full Access Roles. Make sure you choose proper IAM permissions while creating the Roles.

fig1

fig2

fig3

2.2 Create Group in LDAP (User Store) and assign users to the group

 
Create the following Groups in LDAP (NAM User Store) and assign the end users to groups as per your requirement. The group name should match with AWS IAM Role names created in Section 2.1. The following four groups are created in LDAP.

(i) awsEC2FullAccess

(ii) awsS3FullAccess

(iii) awsS3ReadOnly

(iv) awsRDSFullAccess

2.3 Create Data Source

 

In the Administration Console, click Devices -> Identity Server -> Shared Settings -> Data Sources.

(i) Click on the + to add a data source.

1

(ii) Select Data Source as LDAP and fill up all the connection details and test the connectivity.

2

 

2.4 Create Attribute Source

 
In the Administration Console, click Devices -> Identity Server -> Shared Settings -> Virtual Attributes -> Attribute Source

(i) Click on + to add an attribute source

3

(ii) Specify an attribute source Name, description of the attribute source. Select Data Source Name (which was created on step 2.3)

Provide input parameters: This is the input parameter name (P1) and it should contain any value (like user id, employee id, global id etc.) which can be used to uniquely identify the user from the Data Source you have created in step 2.3

In my example, I have given sAMAccountName as the unique identifier.

Provide query and output parameters: Specify an LDAP filter that must use the input details specified in Provide input parameters section.

In my example, NAM user store (i.e. IDP user store) and Data Source (i.e. User attribute Retrieval source) are the same and I would like to retrieve the user’s group membership to prepare AWS Role array using virtual attribute.

Filter: sAMAccountName=%P1%

Filter Output Name: memberOf

4

(iii) Once you have configured the Attribute Source, let’s test the configuration by enabling “Show /Add Test Values?” checkbox. Provide the Test Value as a valid user id and click on Test button.

5

Provide the LDAP admin credentials which you have used while creating the Data Source in step 2.3.

You should get Test Result as Success and a list of group membership.

7

If you have any issues, please check the log at /opt/novell/nam/adminconsole/logs/catalina.out file on Admin Console server.

2.5 Create Virtual Attribute

 
In the Administration Console, click Devices -> Identity Server -> Shared Settings -> Virtual Attributes -> Virtual Attribute

(i) Click + to create a virtual attribute.

8

(ii) Specify a name for the virtual attribute and description.

Configure Provider input parameters:

Name: P1

Parameter Value: memberOf

Configure Provide a modification function:

Select a function: Advanced: Javascript

Script: Copy and paste the following javascript and replace <AWS Account Number> with your AWS account number.

function main( P1 ){
return mapGroups(P1);
}

function mapGroups(attribute){
var result = [];
var role_arn ='arn:aws:iam::<aws account number>:role/'
var provider_arn =',arn:aws:iam::<aws account number>:saml-provider/NAM-IDP';
if(attribute instanceof Array){
var j =0;
for(var i=0; i<attribute.length; i++){
var grp = checkGroup(attribute[i]);
if( grp != 'NA')
result[j++] = role_arn+grp+provider_arn;
}
}
else{
var grp = checkGroup(attribute);
if( grp != 'NA')
result[0] = role_arn+grp+provider_arn;
}
return result;
}

function checkGroup(group){
if(/^CN=aws.*,/.test(group) == true){
var startindex = 3;// it starts with cn
var endindex = group.indexOf(",");
return group.substring( startindex, endindex);
}
else
return 'NA';
}

 

This script does the following work for you:

  1. Loop through all memberOf attributes (i.e. group membership of user) and filter group name if starts with aws
  2. Prepare Array of following String and return to virtual attribute

“arn:aws:iam::<aws-account-number>:role/<group-name-starts-with-aws>,arn:aws:iam::<aws-account-number>:saml-provider/NAM-IDP”

9

(iii) If you would like to test the script and attribute conversion, please enable the check box “Show / Add Test Values?”, add some group DN in the Test values field and click on the Test button.

10

If all configuration is good, you should get following Success Result.

11

2.6 Create Attribute Set for AWS SAML Assertion

 
Go to Shared Setting -> Attribute Sets and create new attribute set “AWS_ATTR_SET

(i) Map Remote Attribute “Role” to “Virtual Attribute:vaAWSRoleName”.

12

(ii) Map Remote attribute RoleSessionName to sAMAccountName

13

 

2.7 Update SAML Service Provider setup in NAM

 
Go to IDP cluster, SAML 2.0 tab, and open AmazonAWS service provider. Select Attribute Set: “AWS_ATTR_SET” and move available attributes from right box to left box.

14

Apply all changes to IDP.

3. Test

 
Open any browser and try to access https://<nam-idp-sso-url>/nidp/saml2/idpsend?id=aws URL.

(i) Login as user who is member of following LDAP groups:

awsEC2FullAccess

awsS3ReadOnly

 

fig14

 

1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.
Loading...

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
Koushik Halder
Aug 16, 2017
10:05 am
Reads:
320
Score:
5
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow