带有OneLogin SAML和MFA的AWS API凭证 [英] AWS API credentials with OneLogin SAML and MFA
问题描述
我们希望让我们的用户通过登录到OneLogin用密码和MFA检索一组的一个给定的AWS作用临时CLI凭据.我们有一个有效的解决方案,但它要求用户在AWS临时凭证到期后每60分钟对一次登录(包括MFA)进行完全重新身份验证.我认为这不会实现-我们的用户已经习惯了与真实IAM用户绑定的永久API凭据.
We want to allow our users to retrieve a set of temporary CLI credentials for a given AWS role by signing in to OneLogin with password and MFA. We have a working solution, but it requires the user to fully re-authenticate to OneLogin (including MFA) every 60 minutes as the AWS temporary credentials expire. I think that won't fly - our users are accustomed to permanent API credentials tied to a real IAM user.
理想情况下,我们希望允许用户每天进行一次身份验证,安全地缓存生成的SAML断言,并根据需要透明地刷新AWS API凭据.我在考虑类似 aws-keychain 之类的东西,这些东西会使用本地OS凭据存储来记住SAML断言,并且仅在用户的OneLogin会话超时时提示用户输入.
Ideally, we'd like to allow users to authenticate once a day, securely cache the resulting SAML assertion, and use that to transparently refresh the AWS API credentials as needed. I'm thinking of something like aws-keychain that would use the local OS credential store to remember the SAML assertion, and only prompt the user for input when their OneLogin session has timed out.
这几乎可以按原样工作.问题在于OneLogin的 saml_assertion返回的SAML断言和
This almost works as-is. The catch is that the SAML assertion returned by OneLogin's saml_assertion and verify_factor endpoints sets a three-minute deadline on the Subject and Conditions fields.
是否有一种方法可以做我们想要做的,还是我们试图绕过SAML的核心原则?
Is there a way to do what we want, or are we trying to route around a core SAML principle?
推荐答案
此处接受的答案不再正确.现在可以在会话开始时对用户进行身份验证并验证一次MFA,然后每小时刷新一次会话,而不必输入其他MFA令牌.
The accepted answer here is no longer true. It is now possible to authenticate the user and verify MFA once at the start of a session and then have the session refreshed on an hourly basis without having to enter further MFA tokens.
为此,您必须使用CLI工具的--loop参数,并在OneLogin中具有相应的应用程序策略,该策略启用如果在最近X分钟内收到OTP则跳过".
To do this you must use the --loop parameter of the CLI tool and have a corresponding App Policy in OneLogin that enables the "Skip if OTP received within last X minutes" setting.
https://developers.onelogin.com/api-docs /1/samples/aws-cli
这篇关于带有OneLogin SAML和MFA的AWS API凭证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
