使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款

Identity Center - Sync AD Object SID to send with SAML Assertion

0

Hi,

I'm looking to use Identity Center as the SAML IdP to connect to AD-joined AppStream. The basics are working, but we're looking to implement Certificate-Based Authentication (CBA). This requires sending the AD Attribute ObjectSID along with the assertion to successfully perform CBA. I am not seeing the option to sync the object SID from AD into Identity Center, or pass the object SID as part of the assertion.

Is this supported? Or is there some kind of workaround anyone has found to send this attribute?

2 個答案
0

AWS Single Sign-On (AWS SSO) does not currently support directly syncing or passing the ObjectSID attribute from on-premises AD to AppStream 2.0. However, there are a couple of potential workarounds:

Use a Custom SAML Identity Provider Instead of AWS SSO, you can configure a third-party SAML 2.0 compliant IdP like Okta, Ping Identity, etc. These IdPs often support passing custom attributes like ObjectSID in the SAML assertion to AppStream 2.0.

Use AWS Managed Microsoft AD Set up an AWS Managed Microsoft AD and join your on-premises AD to it. The AWS Managed Microsoft AD will sync user identities including the ObjectSID. Then configure your IdP (AWS SSO or third-party) to use the AWS Managed Microsoft AD as the source to pass the ObjectSID.

Both approaches require additional setup compared to using AWS SSO directly with on-premises AD for AppStream 2.0. You'll need to evaluate the complexity, cost, and your specific requirements.

AWS
已回答 2 個月前
0

Hello,

Thank you for querying in this forum.

From the descriptions, I understand that your use case is to send an AD Attribute ObjectSID in the SAML assertion but you are not able to see the option to sync the object SID from AD into Identity Center or pass the object SID as part of the assertion. You would like to know if this is actually being supported ot not.

Please confirm the below details and information regarding the IAM Identity Center setup in your environment so that we could better understand your setup and issue.

  • Can you clarify the IDP and SP that you have setup in your environment ?

  • If you are using SSO as an Idp, confirm the identity source that you are using in your IAM Identity Center setup. Kindly confirm if you are using External identity provider or an Active Directory or Identity Center directory in your IAM Identity Center setup.

The passing of the attribute detail in the SAML assertion depends upon the IdP that you are using. For a list of supported directory attributes or supported IAM Identity Center attributes and that can be mapped to user attributes, please go through the below documentation.

[+] https://docs.aws.amazon.com/singlesignon/latest/userguide/attributemappingsconcept.html

Thank you.

AWS
已回答 2 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南