Skip to content

Mapping Extractions from IDPs

This section provide the steps to extract mappings from the following IDPs:

  • Okta
  • ADFS
  • Azure AD
  • Ping

Okta

In Okta, use the Okta API Reference Overview: Okta Developer, to get the Active Directory identities - AWS identities mappings.

  1. Get the AWS application and extract the Account ID from the identityProviderArn property.

    Okta Documentation

    Apps: Okta Developer

    Request Example

    https://{yourOktaDomain}/api/v1/apps/{applicationId}

    Response Example
    {
        "id": "0oapruvo3xnNEuI12345",
        "name": "amazon_aws",
        "label": "AWS Account Federation",
        "status": "ACTIVE",
        "lastUpdated": "2021-08-02T14:51:07.000Z",
        "created": "2021-07-22T11:00:28.000Z",
        "accessibility": {
            "selfService": false,
            "errorRedirectUrl": null,
            "loginRedirectUrl": null
        },
        "visibility": {
            "autoLaunch": false,
            "autoSubmitToolbar": true,
            "hide": {
                "iOS": false,
                "web": false
            },
            "appLinks": {
                "login": true
            }
        },
        "features": [
            "PUSH_NEW_USERS",
            "PUSH_PROFILE_UPDATES"
        ],
        "signOnMode": "SAML_2_0",
        "credentials": {
            "userNameTemplate": {
                "template": "${source.login}",
                "type": "BUILT_IN"
            },
            "signing": {
                "kid": "BNfWuNclhWcvmRpgv2C8MoP1A34vLbDMNQ2odOK97VY"
            }
        },
        "settings": {
            "app": {
                "appFilter": "okta",
                "groupFilter": "aws_(?{{accountid}}\\d+)_(?{{role}}[a-zA-Z0-9+=,.@\\-_]+)",
                "secretKey": null,
                "useGroupMapping": true,
                "joinAllRoles": true,
                "identityProviderArn": "arn:aws:iam::832879212345:saml-provider/okta2",
                "overrideAcsURL": null,
                "sessionDuration": 3600,
                "roleValuePattern": "arn:aws:iam::${accountid}:saml-provider/okta2, arn:aws:iam::${accountid}:role/${role}",
                "awsEnvironmentType": "aws.amazon",
                "accessKey": null,
                "loginURL": "https://console.aws.amazon.com/ec2/home",
                "secretKeyEnc": null
            },
            "notifications": {
                "vpn": {
                    "network": {
                        "connection": "DISABLED"
                    },
                    "message": null,
                    "helpUrl": null
                }
            },
            "notes": {
                "admin": null,
                "enduser": null
            },
            "signOn": {
                "defaultRelayState": null,
                "ssoAcsUrlOverride": null,
                "audienceOverride": null,
                "recipientOverride": null,
                "destinationOverride": null,
                "attributeStatements": []
            }
        },
        "_links": {
            "help": {
                "href": "https://sailpointamirmono-admin.okta.com/app/amazon_aws/0oapruvo3xnNEuI12345/setup/help/SAML_2_0/external-doc",
                "type": "text/html"
            },
            "metadata": {
                "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345/sso/saml/metadata",
                "type": "application/xml"
            },
            "uploadLogo": {
                "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345/logo",
                "hints": {
                    "allow": [
                        "POST"
                    ]
                }
            },
            "appLinks": [
                {
                    "name": "login",
                    "href": "https://sailpointamirmono.okta.com/home/amazon_aws/0oapruvo3xnNEuI12345/272",
                    "type": "text/html"
                }
            ],
            "groups": {
                "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345/groups"
            },
            "logo": [
                {
                    "name": "medium",
                    "href": "https://ok14static.oktacdn.com/fs/bcg/4/gfs1f2p5y2qNcK02w1d8",
                    "type": "image/png"
                }
            ],
            "users": {
                "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345/users"
            },
            "deactivate": {
                "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345/lifecycle/deactivate"
            }
        }
    }
    
  2. Get the applications users and groups and extract the role names from "profile" > "role".

  3. Build the role ARN from the Account ID and Role Name and get the user and group Okta ID.

    Okta Documentation

    Groups: Okta Developer

    Users: Okta Developer

    Request Example

    https://{yourOktaDomain}/api/v1/apps/{applicationId}/users

    https://{yourOktaDomain}/api/v1/apps/{applicationId}/groups

    Response Example
    [
        {
            "id": "00gpsbh7o3OJOfoeV695",
            "lastUpdated": "2021-08-22T14:32:44.000Z",
            "priority": 0,
            "profile": {
                "role": "AWSServiceRoleForCloudTrail",
                "samlRoles": [
                    "Okta_IDP_Role_2"
                ]
            },
            "_links": {
                "app": {
                    "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345"
                },
                "self": {
                    "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345/groups/00gpsbh7o3OJOfo12345"
                },
                "group": {
                    "href": "https://sailpointamirmono.okta.com/api/v1/groups/00gpsbh7o3OJOfo12345"
                }
            }
        },
        {
            "id": "00gymrmrGOkWUyKGf695",
            "lastUpdated": "2021-08-22T14:35:17.000Z",
            "priority": 1,
            "profile": {
                "role": "AWSServiceRoleForCloudTrail",
                "samlRoles": [
                    "Okta_IDP_Role"
                ]
            },
            "_links": {
                "app": {
                    "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345"
                },
                "self": {
                    "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345/groups/00gymrmrGOkWUyK12345"
                },
                "group": {
                    "href": "https://sailpointamirmono.okta.com/api/v1/groups/00gymrmrGOkWUyK12345"
                }
            }
        }
    ]
    
  4. List all the groups and users and get the groups and users names by the ID.

    Okta Documentation

    Groups: Okta Developer

    Users: Okta Developer

    Request Example

    https://{yourOktaDomain}/api/v1/groups

    https://{yourOktaDomain}/api/v1/users

    Response Example
    [
        {
            "id": "00gymrmrGOkWUyK12345",
            "created": "2021-07-29T10:40:08.000Z",
            "lastUpdated": "2021-07-29T10:40:08.000Z",
            "lastMembershipUpdated": "2021-07-29T10:41:25.000Z",
            "objectClass": [
                "okta:user_group"
            ],
            "type": "OKTA_GROUP",
            "profile": {
                "name": "aws_832879285990_Okta_IDP_Role_2",
                "description": null
            },
            "_links": {
                "logo": [
                    {
                        "name": "medium",
                        "href": "https://ok14static.oktacdn.com/assets/img/logos/groups/odyssey/okta-medium.1a5ebe44c4244fb796c235d86b47e3bb.png",
                        "type": "image/png"
                    },
                    {
                        "name": "large",
                        "href": "https://ok14static.oktacdn.com/assets/img/logos/groups/odyssey/okta-large.d9cfbd8a00a4feac1aa5612ba02e99c0.png",
                        "type": "image/png"
                    }
                ],
                "users": {
                    "href": "https://sailpointamirmono.okta.com/api/v1/groups/00gymrmrGOkWUyK12345/users"
                },
                "apps": {
                    "href": "https://sailpointamirmono.okta.com/api/v1/groups/00gymrmrGOkWUyK12345/apps"
                }
            }
        },
        {
            "id": "00gpsbh7o3OJOfo12345",
            "created": "2021-07-22T09:26:50.000Z",
            "lastUpdated": "2021-07-22T09:26:50.000Z",
            "lastMembershipUpdated": "2021-07-29T10:41:25.000Z",
            "objectClass": [
                "okta:user_group"
            ],
            "type": "BUILT_IN",
            "profile": {
                "name": "Everyone",
                "description": "All users in your organization"
            },
            "_links": {
                "logo": [
                    {
                        "name": "medium",
                        "href": "https://ok14static.oktacdn.com/assets/img/logos/groups/odyssey/okta-medium.1a5ebe44c4244fb796c235d86b47e3bb.png",
                        "type": "image/png"
                    },
                    {
                        "name": "large",
                        "href": "https://ok14static.oktacdn.com/assets/img/logos/groups/odyssey/okta-large.d9cfbd8a00a4feac1aa5612ba02e99c0.png",
                        "type": "image/png"
                    }
                ],
                "users": {
                    "href": "https://sailpointamirmono.okta.com/api/v1/groups/00gpsbh7o3OJOfo12345/users"
                },
                "apps": {
                    "href": "https://sailpointamirmono.okta.com/api/v1/groups/00gpsbh7o3OJOfo12345/apps"
                }
            }
        }
    ]
    

ADFS

In ADFS, the Active Directory identities-AWS identities mapping is done on one of the Active Directory identity attributes.

For more information, see Establish Federated Access to AWS Resources by Using AD User Attributes. See - A. Configure an AD user’s account.

Filter all the users and groups with the specific attribute and export it to a csv or Excel file.

PS Example

Get-ADUser -Filter 'url -like "*AWS*"' -properties "url" | Export-Csv c:\file.csv

Response Example
1
2
3
#TYPE Microsoft.ActiveDirectory.Management.ADUser,,,,,,,,,,
DistinguishedName,Enabled,GivenName,Name,ObjectClass,ObjectGUID,SamAccountName,SID,Surname,url,UserPrincipalName
"CN=Adiel,CN=Users,DC=office,DC=whitebox,DC=forest",TRUE,Adiel,Adiel,user,e3fe35c1-0daf-4379-a379-73364ec12345,Adiel,S-1-5-21-3335839157-1594281566-240188981-12345,Moshed,Microsoft.ActiveDirectory.Management.ADPropertyValueCollection,Adiel@office.whitebox.forest

Note

Remember that the response will be exported to a csv or Excel file.

Azure AD

In Azure AD, it is possible to get the AD identities-AWS identities mapping by using Microsoft Graph.

  1. Get all the AWS account’s roles by the AWS Single-Account Access Object ID (one account per request).

  2. Acquire the roles ARNs.

    Request Example

    https://graph.microsoft.com/beta/servicePrincipals/{AWS Single-Account Access object id}

    Response Example
    {
        "@odata.context": "https://graph.microsoft.com/beta/$metadata#servicePrincipals/$entity",
        "@odata.id": "https://graph.microsoft.com/v2/154dccc9-b44e-4883-860c-12345/directoryObjects/726e2abf-b192-462d-a977-12345/Microsoft.DirectoryServices.ServicePrincipal",
        "id": "726e2abf-b192-462d-a977-12345",
        "deletedDateTime": null,
        "accountEnabled": true,
        "alternativeNames": [],
        "createdDateTime": "2021-09-05T11:27:45Z",
        "deviceManagementAppType": null,
        "appDescription": null,
        "appDisplayName": "AWS Single-Account Access",
        "appId": "944b9a2c-51dd-41eb-a018-12345",
        "applicationTemplateId": "8b1025e4-1dd2-430b-a150-12345",
        "appOwnerOrganizationId": "154dccc9-b44e-4883-860c-12345",
        "appRoleAssignmentRequired": true,
        "description": null,
        "disabledByMicrosoftStatus": null,
        "displayName": "AWS Single-Account Access",
        "errorUrl": null,
        "homepage": "https://signin.aws.amazon.com/saml?metadata=aws|ISV9.1|primary|z",
        "isAuthorizationServiceEnabled": false,
        "isManagementRestricted": null,
        "loginUrl": null,
        "logoutUrl": null,
        "notes": null,
        "notificationEmailAddresses": [
            "admin@501.sailpointtechnologies.com"
        ],
        "preferredSingleSignOnMode": "saml",
        "preferredTokenSigningKeyEndDateTime": null,
        "preferredTokenSigningKeyThumbprint": null,
        "publisherName": "SailPoint Technologies, Inc.",
        "replyUrls": [
            "https://signin.aws.amazon.com/saml"
        ],
        "samlMetadataUrl": null,
        "servicePrincipalNames": [
            "944b9a2c-51dd-41eb-a018-12345"
        ],
        "servicePrincipalType": "Application",
        "signInAudience": "AzureADMyOrg",
        "tags": [
            "WindowsAzureActiveDirectoryIntegratedApp"
        ],
        "tokenEncryptionKeyId": null,
        "samlSingleSignOnSettings": null,
        "verifiedPublisher": {
            "displayName": null,
            "verifiedPublisherId": null,
            "addedDateTime": null
        },
        "addIns": [],
        "api": {
            "resourceSpecificApplicationPermissions": []
        },
        "appRoles": [
            {
                "allowedMemberTypes": [
                    "User"
                ],
                "description": "msiam_access",
                "displayName": "msiam_access",
                "id": "7dfd756e-8c27-4472-b2b7-12345",
                "isEnabled": true,
                "origin": "Application",
                "value": null
            },
            {
                "allowedMemberTypes": [
                    "User"
                ],
                "description": "ChessPlayersRole",
                "displayName": "ChessPlayersRole,Okta1",
                "id": "2d9e11e2-14c9-4f34-bf19-12345",
                "isEnabled": true,
                "origin": "ServicePrincipal",
                "value": "arn:aws:iam::832879212345:role/ChessPlayersRole,arn:aws:iam::832879212345:saml-provider/Okta1"
            },
            {
                "allowedMemberTypes": [
                    "User"
                ],
                "description": "DOMAIN_ALIAS_RID_ADMIN-AWS",
                "displayName": "DOMAIN_ALIAS_RID_ADMIN-AWS,Azure_test1",
                "id": "ad3d751a-b615-4bf7-930b-c06a62712345",
                "isEnabled": true,
                "origin": "ServicePrincipal",
                "value": "arn:aws:iam::832879212345:role/DOMAIN_ALIAS_RID_ADMIN-AWS,arn:aws:iam::832879212345:saml-provider/Azure_test1"
            }
        ],
        "info": {
            "termsOfServiceUrl": null,
            "supportUrl": null,
            "privacyStatementUrl": null,
            "marketingUrl": null,
            "logoUrl": null
        },
        "keyCredentials": [],
        "publishedPermissionScopes": [
            {
                "adminConsentDescription": "Allow the application to access AWS Single-Account Access on behalf of the signed-in user.",
                "adminConsentDisplayName": "Access AWS Single-Account Access",
                "id": "419e3996-3684-4265-890a-12345",
                "isEnabled": true,
                "type": "User",
                "userConsentDescription": "Allow the application to access AWS Single-Account Access on your behalf.",
                "userConsentDisplayName": "Access AWS Single-Account Access",
                "value": "user_impersonation"
            }
        ],
        "passwordCredentials": [],
        "resourceSpecificApplicationPermissions": []
    }
    
  3. Get the users and groups which are assigned to the AWS roles.

  4. Acquire the users and groups details.

    Request Example

    https://graph.microsoft.com/beta/servicePrincipals/{AWS Single-Account Access object id}/appRoleAssignedTo

    Response Example
    {
        "@odata.context": "https://graph.microsoft.com/beta/$metadata#appRoleAssignments",
        "value": [
            {
                "@odata.id": "https://graph.microsoft.com/v2/154dccc9-b44e-4883-860c-12345/directoryObjects/$/Microsoft.DirectoryServices.ServicePrincipal('726e2abf-b192-462d-a977-12345')/appRoleAssignedTo/v9raS1IPQkuV98HJH2Uqhsg4ilzG80ZOi0OMy-8m5iw",
                "id": "v9raS1IPQkuV98HJH2Uqhsg4ilzG80ZOi0OMy-8m5iw",
                "creationTimestamp": "2021-09-09T11:45:26.3084935Z",
                "appRoleId": "d3a9b01b-1736-4f1b-ac5f-12345",
                "principalDisplayName": "anatoly_azure_gr1",
                "principalId": "4bdadabf-0f52-4b42-95f7-12345",
                "principalType": "Group",
                "resourceDisplayName": "AWS Single-Account Access",
                "resourceId": "726e2abf-b192-462d-a977-12345"
            },
            {
                "@odata.id": "https://graph.microsoft.com/v2/154dccc9-b44e-4883-860c-12345/directoryObjects/$/Microsoft.DirectoryServices.ServicePrincipal('726e2abf-b192-462d-a977-12345')/appRoleAssignedTo/CF0PHVm9hka00WBTgEPxaoZKebW4inxCsBpqIGxRwFI",
                "id": "CF0PHVm9hka00WBTgEPxaoZKebW4inxCsBpqIGxRwFI",
                "creationTimestamp": "2021-09-09T11:45:26.3302622Z",
                "appRoleId": "d3a9b01b-1736-4f1b-ac5f-12345",
                "principalDisplayName": "anatoly_azure_group3",
                "principalId": "1d0f5d08-bd59-4686-b4d1-12345",
                "principalType": "Group",
                "resourceDisplayName": "AWS Single-Account Access",
                "resourceId": "726e2abf-b192-462d-a977-12345"
            },
            {
                "@odata.id": "https://graph.microsoft.com/v2/154dccc9-b44e-4883-860c-12345/directoryObjects/$/Microsoft.DirectoryServices.ServicePrincipal('726e2abf-b192-462d-a977-12345')/appRoleAssignedTo/INRoSKbmpUaZrnYaVRU3XMRgM8C1kZ9GjHjSB9vW1e4",
                "id": "INRoSKbmpUaZrnYaVRU3XMRgM8C1kZ9GjHjSB9vW1e4",
                "creationTimestamp": "2021-09-09T11:32:47.4228653Z",
                "appRoleId": "277f83e1-4903-4b06-baf7-12345",
                "principalDisplayName": "Adiel",
                "principalId": "4868d420-e6a6-46a5-99ae-12345",
                "principalType": "User",
                "resourceDisplayName": "AWS Single-Account Access",
                "resourceId": "726e2abf-b192-462d-a977-12345"
            }
        ]
    }