- Newest
- Most votes
- Most comments
Thank you for your reply. I have already seen both of these articles, is there anything specific do you think I should follow to get SourceIdentity working?
Integration from Azure to AWS is working and automatic user provisioning is working too. Only thing that I cannot find clear instruction is how to get SourceIdentity working. I am unable to see this field in any CloudTrail events.
Try following the identity instructions for azure ad here.
https://docs.aws.amazon.com/singlesignon/latest/userguide/azure-ad-idp.html
Microsoft instructions. https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/aws-single-sign-on-tutorial
This should get you up and going. Ping any questions over.
update
This may only work for Idp with iam and not aws sso identity centre. There is an extra step but I’m not sure you should modify the Idp that identity centre setups.
Why would you want to do this anyway as the users name is already in cloudtrail logs.
For the workforce identity or application to be able to define their source identity when they assume IAM roles, you must first grant them permission for the sts:SetSourceIdentity action, as illustrated in the sample policy document below. This will permit the workforce identity or application to set the SourceIdentity themselves without any need for manual intervention.
To modify an AWS IAM role trust policy
Log in to the AWS Management Console for your account as a user with privileges to configure an IdP, typically an administrator. Navigate to the AWS IAM service. For trusted identity, choose SAML 2.0 federation. From the SAML Provider drop down menu, select the IAM provider you created previously. Modify the role trust policy and add the SetSourceIdentity action. Sample policy document
This is a sample policy document attached to a role you assume when you log in to Account1 from the Okta dashboard. Edit your Account1/Role1 trust policy document and add sts:AssumeRoleWithSAML and sts:setSourceIdentity to the Action section.
I need to revoke sessions when IAM role chain happens. IAM roles created by SSO are read only and cannot be modified so I am unable to add following permission to them sts:setSourceIdentity as defined in https://aws.amazon.com/blogs/security/how-to-integrate-aws-sts-sourceidentity-with-your-identity-provider/ That means the propagation of attribute to next role will not happen.
Also, I cannot see within CloudTrail logs anywhere the SourceIdentity parameter, where as the article suggests it will be present in every action performed such as create bucket etc.
I am trying to understand if the article doesn't apply to SSO (Identity Center) integration with IdP?
Relevant content
- Accepted Answerasked a year ago
- asked 5 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 6 months ago
Right ok. Reading about it, it “may” only with if using IDP via iam. You’re using identity centre. I’m going to update my answer as there is an extra step but not sure if you should change the Idp settings in your account that’s used by identity centre.
Also why do you need to do this. The users name is usually in cloudtrail when actions are performed after using sso