How can I get AWS credentials using a SAML token?












0















What I am trying to do: Authenticate my users using ADFS, pass the SAML response token to AWS and get back credentials which I can then use to access AWS resources.



What I am able to do now: Sign in successfully through ADFS and get the SAML token back which confirms the successfully sign in.



What is not working: Calling the AWS.STS.assumeRoleWithSaml functions gets a 403 Access Denied error



How it works thus far:





  1. Users click a button on my application, which calls the following:



    var RPID = encodeURIComponent('urn:amazon:webservices');
    
var result = 'https://virtualMachine.eastus.cloudapp.azure.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=' + RPID;
    
window.location.href = result;



  2. A successful sign in here returns back to the application a SAML response token



    var saml = new URL(window.location.href);
    
var token = saml.searchParams.get('SAMLResponse');



  3. The application then calls assumeRoleWithSAML to get back credentials. The Principal ARN refers to the identity provider I am trying to access and the RoleARN refers to a role which has full access to everything:



    authenticateSAMLwithCognito(token) {
    
//define our security token service object
    
var sts = new AWS.STS();
    
//build our parameter object
    
var params = {
    
    //cognito identity provider
    
    PrincipalArn: 'arn:aws:iam::accountid:saml-provider/wmpo-adfs',
    
    //role assuming
    
    RoleArn: 'arn:aws:iam::accountid:role/ADFS-Dev',
    
    //authorization
    
    SAMLAssertion: token
    
}
    

    
console.log("Parameters sent", params);
    
sts.assumeRoleWithSAML(params, (err, data) => {
    

    
    if(err) console.log(err);
    
    else console.log("Success!", data);
    
})
    
}



However the response from this exchange is:



error message



I am really unsure why this is, but if anyone has some helpful pushes that would be great! Thanks and happy new year






javascript amazon-web-services







share|improve this question



























    0















    What I am trying to do: Authenticate my users using ADFS, pass the SAML response token to AWS and get back credentials which I can then use to access AWS resources.



    What I am able to do now: Sign in successfully through ADFS and get the SAML token back which confirms the successfully sign in.



    What is not working: Calling the AWS.STS.assumeRoleWithSaml functions gets a 403 Access Denied error



    How it works thus far:





    1. Users click a button on my application, which calls the following:



      var RPID = encodeURIComponent('urn:amazon:webservices');
      
var result = 'https://virtualMachine.eastus.cloudapp.azure.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=' + RPID;
      
window.location.href = result;



    2. A successful sign in here returns back to the application a SAML response token



      var saml = new URL(window.location.href);
      
var token = saml.searchParams.get('SAMLResponse');



    3. The application then calls assumeRoleWithSAML to get back credentials. The Principal ARN refers to the identity provider I am trying to access and the RoleARN refers to a role which has full access to everything:



      authenticateSAMLwithCognito(token) {
      
//define our security token service object
      
var sts = new AWS.STS();
      
//build our parameter object
      
var params = {
      
    //cognito identity provider
      
    PrincipalArn: 'arn:aws:iam::accountid:saml-provider/wmpo-adfs',
      
    //role assuming
      
    RoleArn: 'arn:aws:iam::accountid:role/ADFS-Dev',
      
    //authorization
      
    SAMLAssertion: token
      
}
      

      
console.log("Parameters sent", params);
      
sts.assumeRoleWithSAML(params, (err, data) => {
      

      
    if(err) console.log(err);
      
    else console.log("Success!", data);
      
})
      
}



    However the response from this exchange is:



    error message



    I am really unsure why this is, but if anyone has some helpful pushes that would be great! Thanks and happy new year






    javascript amazon-web-services







    share|improve this question

























      0












      0








      0








      What I am trying to do: Authenticate my users using ADFS, pass the SAML response token to AWS and get back credentials which I can then use to access AWS resources.



      What I am able to do now: Sign in successfully through ADFS and get the SAML token back which confirms the successfully sign in.



      What is not working: Calling the AWS.STS.assumeRoleWithSaml functions gets a 403 Access Denied error



      How it works thus far:





      1. Users click a button on my application, which calls the following:



        var RPID = encodeURIComponent('urn:amazon:webservices');
        
var result = 'https://virtualMachine.eastus.cloudapp.azure.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=' + RPID;
        
window.location.href = result;



      2. A successful sign in here returns back to the application a SAML response token



        var saml = new URL(window.location.href);
        
var token = saml.searchParams.get('SAMLResponse');



      3. The application then calls assumeRoleWithSAML to get back credentials. The Principal ARN refers to the identity provider I am trying to access and the RoleARN refers to a role which has full access to everything:



        authenticateSAMLwithCognito(token) {
        
//define our security token service object
        
var sts = new AWS.STS();
        
//build our parameter object
        
var params = {
        
    //cognito identity provider
        
    PrincipalArn: 'arn:aws:iam::accountid:saml-provider/wmpo-adfs',
        
    //role assuming
        
    RoleArn: 'arn:aws:iam::accountid:role/ADFS-Dev',
        
    //authorization
        
    SAMLAssertion: token
        
}
        

        
console.log("Parameters sent", params);
        
sts.assumeRoleWithSAML(params, (err, data) => {
        

        
    if(err) console.log(err);
        
    else console.log("Success!", data);
        
})
        
}



      However the response from this exchange is:



      error message



      I am really unsure why this is, but if anyone has some helpful pushes that would be great! Thanks and happy new year






      javascript amazon-web-services







      share|improve this question














      What I am trying to do: Authenticate my users using ADFS, pass the SAML response token to AWS and get back credentials which I can then use to access AWS resources.



      What I am able to do now: Sign in successfully through ADFS and get the SAML token back which confirms the successfully sign in.



      What is not working: Calling the AWS.STS.assumeRoleWithSaml functions gets a 403 Access Denied error



      How it works thus far:





      1. Users click a button on my application, which calls the following:



        var RPID = encodeURIComponent('urn:amazon:webservices');
        
var result = 'https://virtualMachine.eastus.cloudapp.azure.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=' + RPID;
        
window.location.href = result;



      2. A successful sign in here returns back to the application a SAML response token



        var saml = new URL(window.location.href);
        
var token = saml.searchParams.get('SAMLResponse');



      3. The application then calls assumeRoleWithSAML to get back credentials. The Principal ARN refers to the identity provider I am trying to access and the RoleARN refers to a role which has full access to everything:



        authenticateSAMLwithCognito(token) {
        
//define our security token service object
        
var sts = new AWS.STS();
        
//build our parameter object
        
var params = {
        
    //cognito identity provider
        
    PrincipalArn: 'arn:aws:iam::accountid:saml-provider/wmpo-adfs',
        
    //role assuming
        
    RoleArn: 'arn:aws:iam::accountid:role/ADFS-Dev',
        
    //authorization
        
    SAMLAssertion: token
        
}
        

        
console.log("Parameters sent", params);
        
sts.assumeRoleWithSAML(params, (err, data) => {
        

        
    if(err) console.log(err);
        
    else console.log("Success!", data);
        
})
        
}



      However the response from this exchange is:



      error message



      I am really unsure why this is, but if anyone has some helpful pushes that would be great! Thanks and happy new year






      javascript amazon-web-services




      javascript amazon-web-services






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jan 2 at 22:30









      bflynniganbflynnigan

      428




      428
























          1 Answer
          1






          active

          oldest

          votes


















          0














          Wow that only took days, but though I was constantly stumbling, I finally made it to the point I was trying to get.



          The answer was in the same credentials get function that I used when I authenticated users through a username password combo by way of a Cognito User Pool. 



              authenticateThroughCognito(token) {
          
      AWS.config.credentials = new AWS.CognitoIdentityCredentials({
          
          IdentityPoolId: 'us-west-2:IdentityPoolId',
          
          Logins: {
          
              'arn:aws:iam::accountId:saml-provider/wmpo-adfs' : token
          
          }
          
      });
          

          
      (AWS.config.credentials as AWS.Credentials).get((err) => {
          
          if(err) console.log(err);
          
          else {
          
              console.log("Success");
          
              console.log(AWS.config.credentials);
          
          }
          
      })
          
    }





          share|improve this answer
























            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54014023%2fhow-can-i-get-aws-credentials-using-a-saml-token%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            Wow that only took days, but though I was constantly stumbling, I finally made it to the point I was trying to get.



            The answer was in the same credentials get function that I used when I authenticated users through a username password combo by way of a Cognito User Pool. 



                authenticateThroughCognito(token) {
            
      AWS.config.credentials = new AWS.CognitoIdentityCredentials({
            
          IdentityPoolId: 'us-west-2:IdentityPoolId',
            
          Logins: {
            
              'arn:aws:iam::accountId:saml-provider/wmpo-adfs' : token
            
          }
            
      });
            

            
      (AWS.config.credentials as AWS.Credentials).get((err) => {
            
          if(err) console.log(err);
            
          else {
            
              console.log("Success");
            
              console.log(AWS.config.credentials);
            
          }
            
      })
            
    }





            share|improve this answer




























              0














              Wow that only took days, but though I was constantly stumbling, I finally made it to the point I was trying to get.



              The answer was in the same credentials get function that I used when I authenticated users through a username password combo by way of a Cognito User Pool. 



                  authenticateThroughCognito(token) {
              
      AWS.config.credentials = new AWS.CognitoIdentityCredentials({
              
          IdentityPoolId: 'us-west-2:IdentityPoolId',
              
          Logins: {
              
              'arn:aws:iam::accountId:saml-provider/wmpo-adfs' : token
              
          }
              
      });
              

              
      (AWS.config.credentials as AWS.Credentials).get((err) => {
              
          if(err) console.log(err);
              
          else {
              
              console.log("Success");
              
              console.log(AWS.config.credentials);
              
          }
              
      })
              
    }





              share|improve this answer


























                0












                0








                0







                Wow that only took days, but though I was constantly stumbling, I finally made it to the point I was trying to get.



                The answer was in the same credentials get function that I used when I authenticated users through a username password combo by way of a Cognito User Pool. 



                    authenticateThroughCognito(token) {
                
      AWS.config.credentials = new AWS.CognitoIdentityCredentials({
                
          IdentityPoolId: 'us-west-2:IdentityPoolId',
                
          Logins: {
                
              'arn:aws:iam::accountId:saml-provider/wmpo-adfs' : token
                
          }
                
      });
                

                
      (AWS.config.credentials as AWS.Credentials).get((err) => {
                
          if(err) console.log(err);
                
          else {
                
              console.log("Success");
                
              console.log(AWS.config.credentials);
                
          }
                
      })
                
    }





                share|improve this answer













                Wow that only took days, but though I was constantly stumbling, I finally made it to the point I was trying to get.



                The answer was in the same credentials get function that I used when I authenticated users through a username password combo by way of a Cognito User Pool. 



                    authenticateThroughCognito(token) {
                
      AWS.config.credentials = new AWS.CognitoIdentityCredentials({
                
          IdentityPoolId: 'us-west-2:IdentityPoolId',
                
          Logins: {
                
              'arn:aws:iam::accountId:saml-provider/wmpo-adfs' : token
                
          }
                
      });
                

                
      (AWS.config.credentials as AWS.Credentials).get((err) => {
                
          if(err) console.log(err);
                
          else {
                
              console.log("Success");
                
              console.log(AWS.config.credentials);
                
          }
                
      })
                
    }






                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Jan 3 at 0:22









                bflynniganbflynnigan

                428




                428
































                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54014023%2fhow-can-i-get-aws-credentials-using-a-saml-token%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    MongoDB - Not Authorized To Execute Command

                    Image
                    .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 0 I have successfully enabled authorization on MongoDB and I have created an account on the admin database and then I created an account for my database called test. The following connection string to connect to my test database works successfully: mongo --host 192.168.17.52 --port 27017 -u user1 -p password --authenticationDatabase test Only problem I have now is, I cannot execute commands such as: show dbs. I get the following error when I try to do so: "errmsg" : "not authorized on admin to execute command { listDatabases: 1.0, lsid: { id: UUID("a1d5bc0d-bc58-485e-b232-270758a89455") }, $db: "admin...
                    Read more

                    How to fix TextFormField cause rebuild widget in Flutter

                    Image
                    .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 0 I've got the same issue at #9280. I tried all solutions from that topic with/without GlobalKey for Scaffold and Form but the problem wasn't fixed. I tried to build a authentication form with login and signup. But the keyboard doesn't show when I tap the TextFormField at the first time. Then I try to input some letter from physical keyboard, the widget is rebuilt. Like this: login screen Nothing to be log when I run flutter run --verbose, so I logged manually. Every tapping on field, the widget called dispose -> init -> build. [√] Flutter (Channel beta, v1.0.0, on Microsoft Windows [Version 10.0.17763.195], ...
                    Read more

                    Npm cannot find a required file even through it is in the searched directory

                    Image
                    up vote 0 down vote favorite I got that error: users-Air:pdfuploader user$ npm run start client@0.1.0 start /Users/user/Documents/pdfuploader react-scripts start Could not find a required file. Name: index.html Searched in: /Users/user/Documents/pdfuploader/public npm ERR! code ELIFECYCLE npm ERR! errno 1 npm ERR! client@0.1.0 start: `react-scripts start` npm ERR! Exit status 1 npm ERR! npm ERR! Failed at the client@0.1.0 start script. npm ERR! This is probably not a problem with npm. There is likely additional logging output above. npm ERR! A complete log of this run can be found in: npm ERR! /Users/user/.npm/_logs/2018-11-19T10_19_14_555Z-debug.log users-Air:pdfuploader user$ And the file is in /Users/user/Documents/pdfuploader/public as you can see in my github repository: https://github.c...
                    Read more