Mapping Extractions from IDPs

This section provide the steps to extract mappings from the following IDPs:

Okta
ADFS
Azure
Ping

Okta

In Okta, use the Okta API Reference Overview: Okta Developer, to get the Active Directory identities - AWS identities mappings.

Get the AWS application and extract the Account ID from the identityProviderArn property. Refer to the Okta Developer documentation for more information.

Request Example - https://{yourOktaDomain}/api/v1/apps/{applicationId}

Response Example

   {
       "id": "0oapruvo3xnNEuI12345",
       "name": "amazon_aws",
       "label": "AWS Account Federation",
       "status": "ACTIVE",
       "lastUpdated": "2021-08-02T14:51:07.000Z",
       "created": "2021-07-22T11:00:28.000Z",
       "accessibility": {
           "selfService": false,
           "errorRedirectUrl": null,
           "loginRedirectUrl": null
       },
       "visibility": {
           "autoLaunch": false,
           "autoSubmitToolbar": true,
           "hide": {
               "iOS": false,
               "web": false
           },
           "appLinks": {
               "login": true
           }
       },
       "features": [
           "PUSH_NEW_USERS",
           "PUSH_PROFILE_UPDATES"
       ],
       "signOnMode": "SAML_2_0",
       "credentials": {
           "userNameTemplate": {
               "template": "${source.login}",
               "type": "BUILT_IN"
           },
           "signing": {
               "kid": "BNfWuNclhWcvmRpgv2C8MoP1A34vLbDMNQ2odOK97VY"
           }
       },
       "settings": {
           "app": {
               "appFilter": "okta",
               "groupFilter": "aws_(?{{accountid}}\\d+)_(?{{role}}[a-zA-Z0-9+=,.@\\-_]+)",
               "secretKey": null,
               "useGroupMapping": true,
               "joinAllRoles": true,
               "identityProviderArn": "arn:aws:iam::832879212345:saml-provider/okta2",
               "overrideAcsURL": null,
               "sessionDuration": 3600,
               "roleValuePattern": "arn:aws:iam::${accountid}:saml-provider/okta2, arn:aws:iam::${accountid}:role/${role}",
               "awsEnvironmentType": "aws.amazon",
               "accessKey": null,
               "loginURL": "https://console.aws.amazon.com/ec2/home",
               "secretKeyEnc": null
           },
           "notifications": {
               "vpn": {
                   "network": {
                       "connection": "DISABLED"
                   },
                   "message": null,
                   "helpUrl": null
               }
           },
           "notes": {
               "admin": null,
               "enduser": null
           },
           "signOn": {
               "defaultRelayState": null,
               "ssoAcsUrlOverride": null,
               "audienceOverride": null,
               "recipientOverride": null,
               "destinationOverride": null,
               "attributeStatements": []
           }
       },
       "_links": {
           "help": {
               "href": "https://sailpointamirmono-admin.okta.com/app/amazon_aws/0oapruvo3xnNEuI12345/setup/help/SAML_2_0/external-doc",
               "type": "text/html"
           },
           "metadata": {
               "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345/sso/saml/metadata",
               "type": "application/xml"
           },
           "uploadLogo": {
               "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345/logo",
               "hints": {
                   "allow": [
                       "POST"
                   ]
               }
           },
           "appLinks": [
               {
                   "name": "login",
                   "href": "https://sailpointamirmono.okta.com/home/amazon_aws/0oapruvo3xnNEuI12345/272",
                   "type": "text/html"
               }
           ],
           "groups": {
               "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345/groups"
           },
           "logo": [
               {
                   "name": "medium",
                   "href": "https://ok14static.oktacdn.com/fs/bcg/4/gfs1f2p5y2qNcK02w1d8",
                   "type": "image/png"
               }
           ],
           "users": {
               "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345/users"
           },
           "deactivate": {
               "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345/lifecycle/deactivate"
           }
       }
   }

Get the applications users and groups and extract the role names from profile > role.

Build the role ARN from the Account ID and Role Name and get the user and group Okta ID.

Request Examples

https://{yourOktaDomain}/api/v1/apps/{applicationId}/users
https://{yourOktaDomain}/api/v1/apps/{applicationId}/groups

Response Example

   [
       {
           "id": "00gpsbh7o3OJOfoeV695",
           "lastUpdated": "2021-08-22T14:32:44.000Z",
           "priority": 0,
           "profile": {
               "role": "AWSServiceRoleForCloudTrail",
               "samlRoles": [
                   "Okta_IDP_Role_2"
               ]
           },
           "_links": {
               "app": {
                   "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345"
               },
               "self": {
                   "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345/groups/00gpsbh7o3OJOfo12345"
               },
               "group": {
                   "href": "https://sailpointamirmono.okta.com/api/v1/groups/00gpsbh7o3OJOfo12345"
               }
           }
       },
       {
           "id": "00gymrmrGOkWUyKGf695",
           "lastUpdated": "2021-08-22T14:35:17.000Z",
           "priority": 1,
           "profile": {
               "role": "AWSServiceRoleForCloudTrail",
               "samlRoles": [
                   "Okta_IDP_Role"
               ]
           },
           "_links": {
               "app": {
                   "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345"
               },
               "self": {
                   "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345/groups/00gymrmrGOkWUyK12345"
               },
               "group": {
                   "href": "https://sailpointamirmono.okta.com/api/v1/groups/00gymrmrGOkWUyK12345"
               }
           }
       }
   ]

List all the groups and users and get the groups and user names by the ID.

Request Examples

https://{yourOktaDomain}/api/v1/groups

https://{yourOktaDomain}/api/v1/users

Response Example

[
    {
        "id": "00gymrmrGOkWUyK12345",
        "created": "2021-07-29T10:40:08.000Z",
        "lastUpdated": "2021-07-29T10:40:08.000Z",
        "lastMembershipUpdated": "2021-07-29T10:41:25.000Z",
        "objectClass": [
            "okta:user_group"
        ],
        "type": "OKTA_GROUP",
        "profile": {
            "name": "aws_832879285990_Okta_IDP_Role_2",
            "description": null
        },
        "_links": {
            "logo": [
                {
                    "name": "medium",
                    "href": "https://ok14static.oktacdn.com/assets/img/logos/groups/odyssey/okta-medium.1a5ebe44c4244fb796c235d86b47e3bb.png",
                    "type": "image/png"
                },
                {
                    "name": "large",
                    "href": "https://ok14static.oktacdn.com/assets/img/logos/groups/odyssey/okta-large.d9cfbd8a00a4feac1aa5612ba02e99c0.png",
                    "type": "image/png"
                }
            ],
            "users": {
                "href": "https://sailpointamirmono.okta.com/api/v1/groups/00gymrmrGOkWUyK12345/users"
            },
            "apps": {
                "href": "https://sailpointamirmono.okta.com/api/v1/groups/00gymrmrGOkWUyK12345/apps"
            }
        }
    },
    {
        "id": "00gpsbh7o3OJOfo12345",
        "created": "2021-07-22T09:26:50.000Z",
        "lastUpdated": "2021-07-22T09:26:50.000Z",
        "lastMembershipUpdated": "2021-07-29T10:41:25.000Z",
        "objectClass": [
            "okta:user_group"
        ],
        "type": "BUILT_IN",
        "profile": {
            "name": "Everyone",
            "description": "All users in your organization"
        },
        "_links": {
            "logo": [
                {
                    "name": "medium",
                    "href": "https://ok14static.oktacdn.com/assets/img/logos/groups/odyssey/okta-medium.1a5ebe44c4244fb796c235d86b47e3bb.png",
                    "type": "image/png"
                },
                {
                    "name": "large",
                    "href": "https://ok14static.oktacdn.com/assets/img/logos/groups/odyssey/okta-large.d9cfbd8a00a4feac1aa5612ba02e99c0.png",
                    "type": "image/png"
                }
            ],
            "users": {
                "href": "https://sailpointamirmono.okta.com/api/v1/groups/00gpsbh7o3OJOfo12345/users"
            },
            "apps": {
                "href": "https://sailpointamirmono.okta.com/api/v1/groups/00gpsbh7o3OJOfo12345/apps"
            }
        }
    }
]

ADFS

In ADFS, the Active Directory identities-AWS identities mapping is done on an Active Directory identity attribute.

For more information, refer to Configure an AD User's Account in Establish Federated Access to AWS Resources by Using AD User Attributes.

Filter all the users and groups with the specific attribute and export it to a CSV or Excel file.

PS Example

Get-ADUser -Filter 'url -like "*AWS*"' -properties "url" | Export-Csv c:\file.csv

Response Example

1
2
3

#TYPE Microsoft.ActiveDirectory.Management.ADUser,,,,,,,,,,
DistinguishedName,Enabled,GivenName,Name,ObjectClass,ObjectGUID,SamAccountName,SID,Surname,url,UserPrincipalName
"CN=Adiel,CN=Users,DC=office,DC=whitebox,DC=forest",TRUE,Adiel,Adiel,user,e3fe35c1-0daf-4379-a379-73364ec12345,Adiel,S-1-5-21-3335839157-1594281566-240188981-12345,Moshed,Microsoft.ActiveDirectory.Management.ADPropertyValueCollection,Adiel@office.whitebox.forest

Note

The response will be exported to a CSV or Excel file.

Azure AD

In Azure AD, it is possible to get the AD identities-AWS identities mapping by using Microsoft Graph.

Get all the AWS account’s roles by the AWS Single-Account Access Object ID (one account per request).

Acquire the roles ARNs.

Request Example - https://graph.microsoft.com/beta/servicePrincipals/{AWS Single-Account Access object id}

Response Example

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#servicePrincipals/$entity",
    "@odata.id": "https://graph.microsoft.com/v2/154dccc9-b44e-4883-860c-12345/directoryObjects/726e2abf-b192-462d-a977-12345/Microsoft.DirectoryServices.ServicePrincipal",
    "id": "726e2abf-b192-462d-a977-12345",
    "deletedDateTime": null,
    "accountEnabled": true,
    "alternativeNames": [],
    "createdDateTime": "2021-09-05T11:27:45Z",
    "deviceManagementAppType": null,
    "appDescription": null,
    "appDisplayName": "AWS Single-Account Access",
    "appId": "944b9a2c-51dd-41eb-a018-12345",
    "applicationTemplateId": "8b1025e4-1dd2-430b-a150-12345",
    "appOwnerOrganizationId": "154dccc9-b44e-4883-860c-12345",
    "appRoleAssignmentRequired": true,
    "description": null,
    "disabledByMicrosoftStatus": null,
    "displayName": "AWS Single-Account Access",
    "errorUrl": null,
    "homepage": "https://signin.aws.amazon.com/saml?metadata=aws|ISV9.1|primary|z",
    "isAuthorizationServiceEnabled": false,
    "isManagementRestricted": null,
    "loginUrl": null,
    "logoutUrl": null,
    "notes": null,
    "notificationEmailAddresses": [
        "admin@501.sailpointtechnologies.com"
    ],
    "preferredSingleSignOnMode": "saml",
    "preferredTokenSigningKeyEndDateTime": null,
    "preferredTokenSigningKeyThumbprint": null,
    "publisherName": "SailPoint Technologies, Inc.",
    "replyUrls": [
        "https://signin.aws.amazon.com/saml"
    ],
    "samlMetadataUrl": null,
    "servicePrincipalNames": [
        "944b9a2c-51dd-41eb-a018-12345"
    ],
    "servicePrincipalType": "Application",
    "signInAudience": "AzureADMyOrg",
    "tags": [
        "WindowsAzureActiveDirectoryIntegratedApp"
    ],
    "tokenEncryptionKeyId": null,
    "samlSingleSignOnSettings": null,
    "verifiedPublisher": {
        "displayName": null,
        "verifiedPublisherId": null,
        "addedDateTime": null
    },
    "addIns": [],
    "api": {
        "resourceSpecificApplicationPermissions": []
    },
    "appRoles": [
        {
            "allowedMemberTypes": [
                "User"
            ],
            "description": "msiam_access",
            "displayName": "msiam_access",
            "id": "7dfd756e-8c27-4472-b2b7-12345",
            "isEnabled": true,
            "origin": "Application",
            "value": null
        },
        {
            "allowedMemberTypes": [
                "User"
            ],
            "description": "ChessPlayersRole",
            "displayName": "ChessPlayersRole,Okta1",
            "id": "2d9e11e2-14c9-4f34-bf19-12345",
            "isEnabled": true,
            "origin": "ServicePrincipal",
            "value": "arn:aws:iam::832879212345:role/ChessPlayersRole,arn:aws:iam::832879212345:saml-provider/Okta1"
        },
        {
            "allowedMemberTypes": [
                "User"
            ],
            "description": "DOMAIN_ALIAS_RID_ADMIN-AWS",
            "displayName": "DOMAIN_ALIAS_RID_ADMIN-AWS,Azure_test1",
            "id": "ad3d751a-b615-4bf7-930b-c06a62712345",
            "isEnabled": true,
            "origin": "ServicePrincipal",
            "value": "arn:aws:iam::832879212345:role/DOMAIN_ALIAS_RID_ADMIN-AWS,arn:aws:iam::832879212345:saml-provider/Azure_test1"
        }
    ],
    "info": {
        "termsOfServiceUrl": null,
        "supportUrl": null,
        "privacyStatementUrl": null,
        "marketingUrl": null,
        "logoUrl": null
    },
    "keyCredentials": [],
    "publishedPermissionScopes": [
        {
            "adminConsentDescription": "Allow the application to access AWS Single-Account Access on behalf of the signed-in user.",
            "adminConsentDisplayName": "Access AWS Single-Account Access",
            "id": "419e3996-3684-4265-890a-12345",
            "isEnabled": true,
            "type": "User",
            "userConsentDescription": "Allow the application to access AWS Single-Account Access on your behalf.",
            "userConsentDisplayName": "Access AWS Single-Account Access",
            "value": "user_impersonation"
        }
    ],
    "passwordCredentials": [],
    "resourceSpecificApplicationPermissions": []
}

Get the users and groups which are assigned to the AWS roles.

Acquire the users and groups details.

Request Example - https://graph.microsoft.com/beta/servicePrincipals/{AWS Single-Account Access object id}/appRoleAssignedTo

Response Example

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#appRoleAssignments",
    "value": [
        {
            "@odata.id": "https://graph.microsoft.com/v2/154dccc9-b44e-4883-860c-12345/directoryObjects/$/Microsoft.DirectoryServices.ServicePrincipal('726e2abf-b192-462d-a977-12345')/appRoleAssignedTo/v9raS1IPQkuV98HJH2Uqhsg4ilzG80ZOi0OMy-8m5iw",
            "id": "v9raS1IPQkuV98HJH2Uqhsg4ilzG80ZOi0OMy-8m5iw",
            "creationTimestamp": "2021-09-09T11:45:26.3084935Z",
            "appRoleId": "d3a9b01b-1736-4f1b-ac5f-12345",
            "principalDisplayName": "anatoly_azure_gr1",
            "principalId": "4bdadabf-0f52-4b42-95f7-12345",
            "principalType": "Group",
            "resourceDisplayName": "AWS Single-Account Access",
            "resourceId": "726e2abf-b192-462d-a977-12345"
        },
        {
            "@odata.id": "https://graph.microsoft.com/v2/154dccc9-b44e-4883-860c-12345/directoryObjects/$/Microsoft.DirectoryServices.ServicePrincipal('726e2abf-b192-462d-a977-12345')/appRoleAssignedTo/CF0PHVm9hka00WBTgEPxaoZKebW4inxCsBpqIGxRwFI",
            "id": "CF0PHVm9hka00WBTgEPxaoZKebW4inxCsBpqIGxRwFI",
            "creationTimestamp": "2021-09-09T11:45:26.3302622Z",
            "appRoleId": "d3a9b01b-1736-4f1b-ac5f-12345",
            "principalDisplayName": "anatoly_azure_group3",
            "principalId": "1d0f5d08-bd59-4686-b4d1-12345",
            "principalType": "Group",
            "resourceDisplayName": "AWS Single-Account Access",
            "resourceId": "726e2abf-b192-462d-a977-12345"
        },
        {
            "@odata.id": "https://graph.microsoft.com/v2/154dccc9-b44e-4883-860c-12345/directoryObjects/$/Microsoft.DirectoryServices.ServicePrincipal('726e2abf-b192-462d-a977-12345')/appRoleAssignedTo/INRoSKbmpUaZrnYaVRU3XMRgM8C1kZ9GjHjSB9vW1e4",
            "id": "INRoSKbmpUaZrnYaVRU3XMRgM8C1kZ9GjHjSB9vW1e4",
            "creationTimestamp": "2021-09-09T11:32:47.4228653Z",
            "appRoleId": "277f83e1-4903-4b06-baf7-12345",
            "principalDisplayName": "Adiel",
            "principalId": "4868d420-e6a6-46a5-99ae-12345",
            "principalType": "User",
            "resourceDisplayName": "AWS Single-Account Access",
            "resourceId": "726e2abf-b192-462d-a977-12345"
        }
    ]
}

Mapping Extractions from IDPs

Okta

ADFS

Azure AD

Comments