idp-scim-sync icon indicating copy to clipboard operation
idp-scim-sync copied to clipboard

Published 20 hours ago verified publisher icon slashdevops

feat: Retrieve SAML user attributes, include in state, and provide to AWS SCIM

Open ghost opened this issue 3 years ago • 1 comments
trafficstars

Is your feature request related to a problem? Please describe.

Just wrapped up most of the setup - things are working well so far with the manual test... thank you!

Though - I just realized that the current implementation does not support SAML user attributes, and I was really hoping to take advantage of AWS's relatively new (Nov 2020) attribute-based access control ABAC: https://aws.amazon.com/blogs/aws/new-attributes-based-access-control-with-aws-single-sign-on/

Describe the solution you'd like

Modify code to also retrieve any custom attributes that have been mapped in the Google Workspace SAML app, and include those in the state file and diff when determining what to send to the AWS SCIM endpoint.

Additional context Add any other context or screenshots about the feature request here.

Creating custom attributes in the Workspace user settings: https://admin.google.com/ac/customschema: image

Mapping custom attributes in the AWS SSO SAML app: https://admin.google.com/ac/apps/saml/XXXXXXXX/attrmapping image

AWS SSO attribute-based access mappings: https://us-west-2.console.aws.amazon.com/singlesignon/identity/home?region=us-west-2#!/settings?tab=abac image

ghost avatar Mar 07 '22 04:03 ghost

Hi @mat-release totally agree with you, it could be a great feature.

I need to understand a little more how could be integration because actually I only use the AWS SSO SCIM API which is just used to populate users, groups and groups members with fixed fields or attributes I request to Google Workspace Directory API.

So, to do that I need to implement the AWS SSO SDK go v2 or another AWS SSO API to retrieve the SAML v1 mapping configuration, but in my first research, I don't find any AWS API that allows us to retrieve this SAML information. I'll keep investigating how retrieving information is possible.

Update: identitystore SDK either provide access to SAML Attributes.

christiangda avatar Mar 13 '22 09:03 christiangda

Hi there,

Unfortunately, this is not possible, the SAML attributes are not reachable from the lambda and the Google credentials. I implemented all the attributes allowed by the SCIM API, next version will allow you to have these.

christiangda avatar Oct 14 '23 20:10 christiangda