Aws-cli: [v2] Add support for other SAML providers
Many organizations use a SAML provider other than AWS SSO and are also heavy users of the AWS CLI.
There are third-party tools for accomplishing this on the command line, see https://github.com/Versent/saml2aws
It would greatly benefit a large amount of AWS customers if such functionality was baked into the aws v2 CLI. Please add support for other SAML Identity Providers to leverage the aws2 sso login functionality.
There should be no technical issue supporting this on the Identity Provider side, as AWS requires that they be implemented as unsolicited SAML requests. AWS would have the freedom to ask their customers' Identity Providers to send the SAML assertion to an alternate AWS endpoint that could hand the assertion back to the CLI, which could start the same role picker and STS workflow you have already built for aws2 sso login.
cervantek
All 6 comments
This feature will be very helpful for organizations using OKTA as their SAML provider. right now these are the solutions we are using - https://support.okta.com/help/s/article/Integrating-the-Amazon-Web-Services-Command-Line-Interface-Using-Okta
If any aws-cli V2 had any better solution it would be nice
yrsurya
on 13 Nov 2019
We use ADFS and had to build a small client to support this (lots of users, lots of accounts). Would be definitely handy to have it supported officially.
samueldumont
on 13 Nov 2019
We use ADFS and had to build a small client to support this (lots of users, lots of accounts). Would be definitely handy to have it supported officially.
Have you open-sourced that? Would be very helpful to many companies...
But agreed, having it natively, would be tremendously helpful.
markaltmann
on 14 Nov 2019
We use ADFS and had to build a small client to support this (lots of users, lots of accounts). Would be definitely handy to have it supported officially.
Have you open-sourced that? Would be very helpful to many companies...
But agreed, having it natively, would be tremendously helpful.
Not yet, it's baked in a bigger CLI tool but we thought about just open sourcing the part doing the ADFS login.
Basically it's doing this flow : ask for your login, getting the SAML assertion from your ADFS, fetching an access id, access key and a aws session token and add them to your credentials file. That way a dev can work transparently with AWS CLI. It's written in Go and cross platform.
If we open source this I'll post an update here, but I need agreement from my company
samueldumont
on 14 Nov 2019
This is now supported! https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-idp.html
jamesls
on 13 Dec 2019
Will this now supports OKTA ?
yrsurya
on 25 Feb 2020
Related issues
schams-net
路
3Comments
ehammond
路
3Comments
kangman
路
3Comments
ypant
路
3Comments
ronaldpetty
路
3Comments
Most helpful comment
Not yet, it's baked in a bigger CLI tool but we thought about just open sourcing the part doing the ADFS login.
Basically it's doing this flow : ask for your login, getting the SAML assertion from your ADFS, fetching an access id, access key and a aws session token and add them to your credentials file. That way a dev can work transparently with AWS CLI. It's written in Go and cross platform.
If we open source this I'll post an update here, but I need agreement from my company