1回答
- 新しい順
- 投票が多い順
- コメントが多い順
1
Hi,
In Azure AD you need to map the https://aws.amazon.com/SAML/Attributes/Role
claim to group value by doing some condition claim transformation rule. Therefore user member of Group Author
will have a role claim https://aws.amazon.com/SAML/Attributes/Role
of value Author
.
Jeff
回答済み 1年前
関連するコンテンツ
- AWS公式更新しました 2年前
- AWS公式更新しました 1年前
+1 for Jeff's opinion.
You need to specify the role to Assume to AWS when configuring SAML on Azure AD side.
Hi Jeff and isawa,
that is what we did in Azure AD. We created a claim named
https://aws.amazon.com/SAML/Attributes/Role
and used a claim condition to map the scoped group to the valuearn:aws:iam:: <Our Account ID>:saml-provider/IAM_Identity_Center, arn:aws:iam:: <Our Account ID>:role/<Name of the role we created for ADMIN/AUTHOR/READER>
. However, we still get the error message invalid SAML response. When viewing the SAML response we see that the claims we created are not part of it. Are you sure that this works with Identity Center? We got some response in the blog https://aws.amazon.com/de/blogs/big-data/enable-federation-to-amazon-quicksight-with-automatic-provisioning-of-users-between-aws-iam-identity-center-and-microsoft-azure-ad/:Thank you Fabian. You can have only 1 IAM role for an Identity Center application at the moment. You could additionally create Author/Reader role with the policies which is given in "Configure IAM Policies" section and tie it up with different QuickSight applications in IAM Identity Center. This way, you could control which "user/user group" should have Admin/Author/Reader role.
Does this mean we have to create 3 applications?