Menu
AWS Identity and Access Management
User Guide

Configuring SAML Assertions for the Authentication Response

In your organization, after a user's identity has been verified, the IdP sends an authentication response to the AWS SAML endpoint at https://signin.aws.amazon.com/saml. This response is a POST request that includes a SAML token that adheres to the HTTP POST Binding for SAML 2.0 standard and that contains the following elements, or claims. You configure these claims in your SAML-compatible IdP. Refer to the documenation for your IdP for instructions on how to enter these claims.

When the IdP sends the response containing the claims to AWS, many of the incoming claims map to AWS context keys that can be checked in IAM policies using the Condition element. A listing of the available mappings follows in the section Mapping SAML Attributes to AWS Trust Policy Context Keys.

Subject and NameID

The following excerpt shows an example. Substitute your own values for the marked ones. There must be exactly 1 SubjectConfirmation element with a SubjectConfirmationData element that includes both the NotOnOrAfter attribute and a Recipient attribute with a value that must match the AWS endpoint (https://signin.aws.amazon.com/saml), as shown in the following example. For information about the name identifier formats supported for single sign-on interactions, see Oracle Sun OpenSSO Enterprise Administration Reference.

Copy
<Subject> <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">_cbb88bf52c2510eabe00c1642d4643f41430fe25e3</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData NotOnOrAfter="2013-11-05T02:06:42.876Z" Recipient="https://signin.aws.amazon.com/saml"/> </SubjectConfirmation> </Subject>
AudienceRestriction and Audience

For security reasons, AWS must be included as an audience in the SAML assertion your IdP sends to AWS. Therefore, the value of the Audience element must match one of the following two values, either https://signin.aws.amazon.com/saml or urn:amazon:webservices. AWS tests and enforces this value automatically. The following sample XML snippet from a SAML assertion shows how this key can be specified by the IdP and shows both valid values; you only need to include one.

Copy
<Conditions> <AudienceRestriction> <Audience>https://signin.aws.amazon.com/saml</Audience> <Audience>urn:amazon:webservices</Audience> </AudienceRestriction> </Conditions>

Important

The SAML AudienceRestriction value in the SAML assertion from the IdP does not map to the saml:aud context key that you can test in an IAM policy. Instead, the saml:aud context key comes from the SAML recipient attribute because it is the SAML equivalent to the OIDC audience field, for example, by accounts.google.com:aud.

An Attribute element with the Name attribute set to https://aws.amazon.com/SAML/Attributes/Role

This element contains one or more AttributeValue elements that list the IAM role and SAML identity provider to which the user is mapped by your IdP. The role and identity provider are specified as a comma-delimited pair of ARNs in the same format as the RoleArn and PrincipalArn parameters that are passed to AssumeRoleWithSAML. This element must contain at least one role-provider pair—that is, at least one AttributeValue element—and can contain multiple pairs. If the element contains multiple pairs, then the user is asked to select which role to assume when he or she uses WebSSO to sign into the AWS Management Console.

Important

The value of the Name attribute in the Attribute tag is case-sensitive. It must be set to https://aws.amazon.com/SAML/Attributes/Role exactly.

Copy
<Attribute Name="https://aws.amazon.com/SAML/Attributes/Role"> <AttributeValue>arn:aws:iam::account-number:role/role-name1,arn:aws:iam::account-number:saml-provider/provider-name</AttributeValue> <AttributeValue>arn:aws:iam::account-number:role/role-name2,arn:aws:iam::account-number:saml-provider/provider-name</AttributeValue> <AttributeValue>arn:aws:iam::account-number:role/role-name3,arn:aws:iam::account-number:saml-provider/provider-name</AttributeValue> </Attribute>
An Attribute element with the Name attribute set to https://aws.amazon.com/SAML/Attributes/RoleSessionName

This element contains one AttributeValue element that provides an identifier for the AWS temporary credentials that are issued for SSO and is used to display user information in the AWS Management Console. The value in the AttributeValue element must be between 2 and 64 characters long, can contain only alphanumeric characters, underscores, and the following characters: + (plus sign), = (equals sign), , (comma), . (period), @ (at symbol), and - (hyphen). It cannot contain spaces. The value is typically a user ID (bobsmith) or an email address (bobsmith@example.com). It should not be a value that includes a space, like a user's display name (Bob Smith).

Important

The value of the Name attribute in the Attribute tag is case-sensitive. It must be set to https://aws.amazon.com/SAML/Attributes/RoleSessionName exactly.

Copy
<Attribute Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName"> <AttributeValue>user-id-name</AttributeValue> </Attribute>
An optional Attribute element with the SessionDuration attribute set to https://aws.amazon.com/SAML/Attributes/SessionDuration

This element contains one AttributeValue element that specifies the maximum time that the user can access the AWS Management Console before having to request new temporary credentials. The value is an integer representing the number of seconds, and can be a maximum of 43200 seconds (12 hours). If this attribute is not present, then the maximum session duration defaults to one hour (the default value of the DurationSeconds parameter of the AssumeRoleWithSAML API). To use this attribute, you must configure the SAML provider to provide single sign-on access to the AWS Management Console through the console sign-in web endpoint at https://signin.aws.amazon.com/saml. Note that this attribute extends sessions only to the AWS Management Console. It cannot extend the lifetime of other credentials. However, if it is present in an AssumeRoleWithSAML API call, it can be used to shorten the lifetime of the credentials returned by the call to less than the default of 60 minutes.

Note, too, that if a SessionNotOnOrAfter attribute is also defined, then the lesser value of the two attributes, SessionDuration or SessionNotOnOrAfter, establishes the maximum duration of the console session.

When you enable console sessions with an extended duration the risk of compromise of the credentials rises. To help you mitigate this risk, you can immediately disable the active console sessions for any role by choosing Revoke Sessions on the Role Summary page in the IAM console. For more information, see Revoking IAM Role Temporary Security Credentials.

Important

The value of the Name attribute in the Attribute tag is case-sensitive. It must be set to https://aws.amazon.com/SAML/Attributes/SessionDuration exactly.

Copy
<Attribute Name="https://aws.amazon.com/SAML/Attributes/SessionDuration"> <AttributeValue>7200</AttributeValue> </Attribute>

Mapping SAML Attributes to AWS Trust Policy Context Keys

The tables in this section list commonly used SAML attributes and how they map to trust policy condition context keys in AWS. You can use these keys to control access to a role by evaluating them against the values included in the assertions that accompany a SAML request to access a role.

Important

These keys are available only in IAM trust policies (policies that determine who can assume a role) and are not applicable to permissions policies.

In the eduPerson and eduOrg attributes table, values are typed either as strings or as lists of strings. For string values, you can test these values in IAM trust policies using StringEquals or StringLike conditions. For values that contain a list of strings, you can use the ForAnyValue and ForAllValues policy set operators to test the values in trust policies.

Note

You should include only one claim per AWS context key. If you include more than one, only one claim will be mapped.

eduPerson and eduOrg Attributes

eduPerson or eduOrg attribute (Name key) Maps to this AWS context key (FriendlyName key) Type

urn:oid:1.3.6.1.4.1.5923.1.1.1.1

eduPersonAffiliation

List of strings

urn:oid:1.3.6.1.4.1.5923.1.1.1.2

eduPersonNickname

List of strings

urn:oid:1.3.6.1.4.1.5923.1.1.1.3

eduPersonOrgDN

String

urn:oid:1.3.6.1.4.1.5923.1.1.1.4

eduPersonOrgUnitDN

List of strings

urn:oid:1.3.6.1.4.1.5923.1.1.1.5

eduPersonPrimaryAffiliation

String

urn:oid:1.3.6.1.4.1.5923.1.1.1.6

eduPersonPrincipalName

String

urn:oid:1.3.6.1.4.1.5923.1.1.1.7

eduPersonEntitlement

List of strings

urn:oid:1.3.6.1.4.1.5923.1.1.1.8

eduPersonPrimaryOrgUnitDN

String

urn:oid:1.3.6.1.4.1.5923.1.1.1.9

eduPersonScopedAffiliation

List of strings

urn:oid:1.3.6.1.4.1.5923.1.1.1.10

eduPersonTargetedID

List of strings

urn:oid:1.3.6.1.4.1.5923.1.1.1.11

eduPersonAssurance

List of strings

urn:oid:1.3.6.1.4.1.5923.1.2.1.2

eduOrgHomePageURI

List of strings

urn:oid:1.3.6.1.4.1.5923.1.2.1.3

eduOrgIdentityAuthNPolicyURI

List of strings

urn:oid:1.3.6.1.4.1.5923.1.2.1.4

eduOrgLegalName

List of strings

urn:oid:1.3.6.1.4.1.5923.1.2.1.5

eduOrgSuperiorURI

List of strings

urn:oid:1.3.6.1.4.1.5923.1.2.1.6

eduOrgWhitePagesURI

List of strings

urn:oid:2.5.4.3

cn

List of strings

Active Directory Attributes

AD attribute Maps to this AWS context key Type

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

name

String

http://schemas.xmlsoap.org/claims/CommonName

commonName

String

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

givenName

String

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

surname

String

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

mail

String

http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid

uid

String

X.500 Attributes

X.500 Attribute Maps to this AWS context key Type

2.5.4.3

commonName

String

2.5.4.4

surname

String

2.4.5.42

givenName

String

2.5.4.45

x500UniqueIdentifier

String

0.9.2342.19200300100.1.1

uid

String

0.9.2342.19200300100.1.3

mail

String

0.9.2342.19200300.100.1.45

organizationStatus

String