带有 OneLogin SAML 和 MFA 的 AWS API 凭证 [英] AWS API credentials with OneLogin SAML and MFA
问题描述
我们希望允许我们的用户通过使用密码和 MFA 登录 OneLogin 来检索给定 AWS 角色的一组临时 CLI 凭证.我们有一个可行的解决方案,但它要求用户在 AWS 临时凭证到期时每 60 分钟向 OneLogin(包括 MFA)完全重新进行身份验证.我认为这是行不通的 - 我们的用户已经习惯了与真实 IAM 用户相关联的永久 API 凭证.
We want to allow our users to retrieve a set of temporary CLI credentials for a given AWS role by signing in to OneLogin with password and MFA. We have a working solution, but it requires the user to fully re-authenticate to OneLogin (including MFA) every 60 minutes as the AWS temporary credentials expire. I think that won't fly - our users are accustomed to permanent API credentials tied to a real IAM user.
理想情况下,我们希望允许用户每天进行一次身份验证,安全地缓存生成的 SAML 断言,并根据需要使用它来透明地刷新 AWS API 凭证.我在想像 aws-keychain 这样的东西,它会使用本地操作系统凭证存储来记住SAML 断言,并且仅在 OneLogin 会话超时时提示用户输入.
Ideally, we'd like to allow users to authenticate once a day, securely cache the resulting SAML assertion, and use that to transparently refresh the AWS API credentials as needed. I'm thinking of something like aws-keychain that would use the local OS credential store to remember the SAML assertion, and only prompt the user for input when their OneLogin session has timed out.
这几乎按原样工作.问题在于 OneLogin 的 返回的 SAML 断言saml_assertion 和 verify_factor 端点在 Subject 和 Conditions 字段上设置了三分钟的最后期限.
This almost works as-is. The catch is that the SAML assertion returned by OneLogin's saml_assertion and verify_factor endpoints sets a three-minute deadline on the Subject and Conditions fields.
有没有办法做我们想做的事,或者我们是否试图绕过核心 SAML 原则?
Is there a way to do what we want, or are we trying to route around a core SAML principle?
推荐答案
此处接受的答案不再正确.现在可以在会话开始时对用户进行身份验证并验证一次 MFA,然后每小时刷新一次会话,而无需输入更多 MFA 令牌.
The accepted answer here is no longer true. It is now possible to authenticate the user and verify MFA once at the start of a session and then have the session refreshed on an hourly basis without having to enter further MFA tokens.
为此,您必须使用 CLI 工具的 --loop 参数,并在 OneLogin 中有相应的应用策略,以启用如果在过去 X 分钟内收到 OTP,则跳过"设置.
To do this you must use the --loop parameter of the CLI tool and have a corresponding App Policy in OneLogin that enables the "Skip if OTP received within last X minutes" setting.
https://developers.onelogin.com/api-docs/1/samples/aws-cli
这篇关于带有 OneLogin SAML 和 MFA 的 AWS API 凭证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
