Mapping Extractions from IDPs

This section provide the steps to extract mappings from the following IDPs:

Okta
ADFS
Azure AD
Ping

Okta

In Okta, use the Okta API Reference Overview: Okta Developer, to get the Active Directory identities - AWS identities mappings.

Get the AWS application and extract the Account ID from the identityProviderArn property.

Okta Documentation

Apps: Okta Developer

Request Example

https://{yourOktaDomain}/api/v1/apps/{applicationId}

Response Example

{
    "id": "0oapruvo3xnNEuI12345",
    "name": "amazon_aws",
    "label": "AWS Account Federation",
    "status": "ACTIVE",
    "lastUpdated": "2021-08-02T14:51:07.000Z",
    "created": "2021-07-22T11:00:28.000Z",
    "accessibility": {
        "selfService": false,
        "errorRedirectUrl": null,
        "loginRedirectUrl": null
    },
    "visibility": {
        "autoLaunch": false,
        "autoSubmitToolbar": true,
        "hide": {
            "iOS": false,
            "web": false
        },
        "appLinks": {
            "login": true
        }
    },
    "features": [
        "PUSH_NEW_USERS",
        "PUSH_PROFILE_UPDATES"
    ],
    "signOnMode": "SAML_2_0",
    "credentials": {
        "userNameTemplate": {
            "template": "${source.login}",
            "type": "BUILT_IN"
        },
        "signing": {
            "kid": "BNfWuNclhWcvmRpgv2C8MoP1A34vLbDMNQ2odOK97VY"
        }
    },
    "settings": {
        "app": {
            "appFilter": "okta",
            "groupFilter": "aws_(?{{accountid}}\\d+)_(?{{role}}[a-zA-Z0-9+=,.@\\-_]+)",
            "secretKey": null,
            "useGroupMapping": true,
            "joinAllRoles": true,
            "identityProviderArn": "arn:aws:iam::832879212345:saml-provider/okta2",
            "overrideAcsURL": null,
            "sessionDuration": 3600,
            "roleValuePattern": "arn:aws:iam::${accountid}:saml-provider/okta2, arn:aws:iam::${accountid}:role/${role}",
            "awsEnvironmentType": "aws.amazon",
            "accessKey": null,
            "loginURL": "https://console.aws.amazon.com/ec2/home",
            "secretKeyEnc": null
        },
        "notifications": {
            "vpn": {
                "network": {
                    "connection": "DISABLED"
                },
                "message": null,
                "helpUrl": null
            }
        },
        "notes": {
            "admin": null,
            "enduser": null
        },
        "signOn": {
            "defaultRelayState": null,
            "ssoAcsUrlOverride": null,
            "audienceOverride": null,
            "recipientOverride": null,
            "destinationOverride": null,
            "attributeStatements": []
        }
    },
    "_links": {
        "help": {
            "href": "https://sailpointamirmono-admin.okta.com/app/amazon_aws/0oapruvo3xnNEuI12345/setup/help/SAML_2_0/external-doc",
            "type": "text/html"
        },
        "metadata": {
            "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345/sso/saml/metadata",
            "type": "application/xml"
        },
        "uploadLogo": {
            "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345/logo",
            "hints": {
                "allow": [
                    "POST"
                ]
            }
        },
        "appLinks": [
            {
                "name": "login",
                "href": "https://sailpointamirmono.okta.com/home/amazon_aws/0oapruvo3xnNEuI12345/272",
                "type": "text/html"
            }
        ],
        "groups": {
            "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345/groups"
        },
        "logo": [
            {
                "name": "medium",
                "href": "https://ok14static.oktacdn.com/fs/bcg/4/gfs1f2p5y2qNcK02w1d8",
                "type": "image/png"
            }
        ],
        "users": {
            "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345/users"
        },
        "deactivate": {
            "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345/lifecycle/deactivate"
        }
    }
}

Get the applications users and groups and extract the role names from "profile" > "role".

Build the role ARN from the Account ID and Role Name and get the user and group Okta ID.

Okta Documentation

Groups: Okta Developer

Users: Okta Developer

Request Example

https://{yourOktaDomain}/api/v1/apps/{applicationId}/users

https://{yourOktaDomain}/api/v1/apps/{applicationId}/groups

Response Example

[
    {
        "id": "00gpsbh7o3OJOfoeV695",
        "lastUpdated": "2021-08-22T14:32:44.000Z",
        "priority": 0,
        "profile": {
            "role": "AWSServiceRoleForCloudTrail",
            "samlRoles": [
                "Okta_IDP_Role_2"
            ]
        },
        "_links": {
            "app": {
                "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345"
            },
            "self": {
                "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345/groups/00gpsbh7o3OJOfo12345"
            },
            "group": {
                "href": "https://sailpointamirmono.okta.com/api/v1/groups/00gpsbh7o3OJOfo12345"
            }
        }
    },
    {
        "id": "00gymrmrGOkWUyKGf695",
        "lastUpdated": "2021-08-22T14:35:17.000Z",
        "priority": 1,
        "profile": {
            "role": "AWSServiceRoleForCloudTrail",
            "samlRoles": [
                "Okta_IDP_Role"
            ]
        },
        "_links": {
            "app": {
                "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345"
            },
            "self": {
                "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345/groups/00gymrmrGOkWUyK12345"
            },
            "group": {
                "href": "https://sailpointamirmono.okta.com/api/v1/groups/00gymrmrGOkWUyK12345"
            }
        }
    }
]

List all the groups and users and get the groups and users names by the ID.

Okta Documentation

Groups: Okta Developer

Users: Okta Developer

Request Example

https://{yourOktaDomain}/api/v1/groups

https://{yourOktaDomain}/api/v1/users

Response Example

[
    {
        "id": "00gymrmrGOkWUyK12345",
        "created": "2021-07-29T10:40:08.000Z",
        "lastUpdated": "2021-07-29T10:40:08.000Z",
        "lastMembershipUpdated": "2021-07-29T10:41:25.000Z",
        "objectClass": [
            "okta:user_group"
        ],
        "type": "OKTA_GROUP",
        "profile": {
            "name": "aws_832879285990_Okta_IDP_Role_2",
            "description": null
        },
        "_links": {
            "logo": [
                {
                    "name": "medium",
                    "href": "https://ok14static.oktacdn.com/assets/img/logos/groups/odyssey/okta-medium.1a5ebe44c4244fb796c235d86b47e3bb.png",
                    "type": "image/png"
                },
                {
                    "name": "large",
                    "href": "https://ok14static.oktacdn.com/assets/img/logos/groups/odyssey/okta-large.d9cfbd8a00a4feac1aa5612ba02e99c0.png",
                    "type": "image/png"
                }
            ],
            "users": {
                "href": "https://sailpointamirmono.okta.com/api/v1/groups/00gymrmrGOkWUyK12345/users"
            },
            "apps": {
                "href": "https://sailpointamirmono.okta.com/api/v1/groups/00gymrmrGOkWUyK12345/apps"
            }
        }
    },
    {
        "id": "00gpsbh7o3OJOfo12345",
        "created": "2021-07-22T09:26:50.000Z",
        "lastUpdated": "2021-07-22T09:26:50.000Z",
        "lastMembershipUpdated": "2021-07-29T10:41:25.000Z",
        "objectClass": [
            "okta:user_group"
        ],
        "type": "BUILT_IN",
        "profile": {
            "name": "Everyone",
            "description": "All users in your organization"
        },
        "_links": {
            "logo": [
                {
                    "name": "medium",
                    "href": "https://ok14static.oktacdn.com/assets/img/logos/groups/odyssey/okta-medium.1a5ebe44c4244fb796c235d86b47e3bb.png",
                    "type": "image/png"
                },
                {
                    "name": "large",
                    "href": "https://ok14static.oktacdn.com/assets/img/logos/groups/odyssey/okta-large.d9cfbd8a00a4feac1aa5612ba02e99c0.png",
                    "type": "image/png"
                }
            ],
            "users": {
                "href": "https://sailpointamirmono.okta.com/api/v1/groups/00gpsbh7o3OJOfo12345/users"
            },
            "apps": {
                "href": "https://sailpointamirmono.okta.com/api/v1/groups/00gpsbh7o3OJOfo12345/apps"
            }
        }
    }
]

ADFS

In ADFS, the Active Directory identities-AWS identities mapping is done on one of the Active Directory identity attributes.

For more information, see Establish Federated Access to AWS Resources by Using AD User Attributes. See - A. Configure an AD user’s account.

Filter all the users and groups with the specific attribute and export it to a csv or Excel file.

PS Example

Get-ADUser -Filter 'url -like "*AWS*"' -properties "url" | Export-Csv c:\file.csv

Response Example

#TYPE Microsoft.ActiveDirectory.Management.ADUser,,,,,,,,,,
DistinguishedName,Enabled,GivenName,Name,ObjectClass,ObjectGUID,SamAccountName,SID,Surname,url,UserPrincipalName
"CN=Adiel,CN=Users,DC=office,DC=whitebox,DC=forest",TRUE,Adiel,Adiel,user,e3fe35c1-0daf-4379-a379-73364ec12345,Adiel,S-1-5-21-3335839157-1594281566-240188981-12345,Moshed,Microsoft.ActiveDirectory.Management.ADPropertyValueCollection,Adiel@office.whitebox.forest

Note

Remember that the response will be exported to a csv or Excel file.

Azure AD

In Azure AD, it is possible to get the AD identities-AWS identities mapping by using Microsoft Graph.

Get all the AWS account’s roles by the AWS Single-Account Access Object ID (one account per request).

Acquire the roles ARNs.

Request Example

https://graph.microsoft.com/beta/servicePrincipals/{AWS Single-Account Access object id}

Response Example

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#servicePrincipals/$entity",
    "@odata.id": "https://graph.microsoft.com/v2/154dccc9-b44e-4883-860c-12345/directoryObjects/726e2abf-b192-462d-a977-12345/Microsoft.DirectoryServices.ServicePrincipal",
    "id": "726e2abf-b192-462d-a977-12345",
    "deletedDateTime": null,
    "accountEnabled": true,
    "alternativeNames": [],
    "createdDateTime": "2021-09-05T11:27:45Z",
    "deviceManagementAppType": null,
    "appDescription": null,
    "appDisplayName": "AWS Single-Account Access",
    "appId": "944b9a2c-51dd-41eb-a018-12345",
    "applicationTemplateId": "8b1025e4-1dd2-430b-a150-12345",
    "appOwnerOrganizationId": "154dccc9-b44e-4883-860c-12345",
    "appRoleAssignmentRequired": true,
    "description": null,
    "disabledByMicrosoftStatus": null,
    "displayName": "AWS Single-Account Access",
    "errorUrl": null,
    "homepage": "https://signin.aws.amazon.com/saml?metadata=aws|ISV9.1|primary|z",
    "isAuthorizationServiceEnabled": false,
    "isManagementRestricted": null,
    "loginUrl": null,
    "logoutUrl": null,
    "notes": null,
    "notificationEmailAddresses": [
        "admin@501.sailpointtechnologies.com"
    ],
    "preferredSingleSignOnMode": "saml",
    "preferredTokenSigningKeyEndDateTime": null,
    "preferredTokenSigningKeyThumbprint": null,
    "publisherName": "SailPoint Technologies, Inc.",
    "replyUrls": [
        "https://signin.aws.amazon.com/saml"
    ],
    "samlMetadataUrl": null,
    "servicePrincipalNames": [
        "944b9a2c-51dd-41eb-a018-12345"
    ],
    "servicePrincipalType": "Application",
    "signInAudience": "AzureADMyOrg",
    "tags": [
        "WindowsAzureActiveDirectoryIntegratedApp"
    ],
    "tokenEncryptionKeyId": null,
    "samlSingleSignOnSettings": null,
    "verifiedPublisher": {
        "displayName": null,
        "verifiedPublisherId": null,
        "addedDateTime": null
    },
    "addIns": [],
    "api": {
        "resourceSpecificApplicationPermissions": []
    },
    "appRoles": [
        {
            "allowedMemberTypes": [
                "User"
            ],
            "description": "msiam_access",
            "displayName": "msiam_access",
            "id": "7dfd756e-8c27-4472-b2b7-12345",
            "isEnabled": true,
            "origin": "Application",
            "value": null
        },
        {
            "allowedMemberTypes": [
                "User"
            ],
            "description": "ChessPlayersRole",
            "displayName": "ChessPlayersRole,Okta1",
            "id": "2d9e11e2-14c9-4f34-bf19-12345",
            "isEnabled": true,
            "origin": "ServicePrincipal",
            "value": "arn:aws:iam::832879212345:role/ChessPlayersRole,arn:aws:iam::832879212345:saml-provider/Okta1"
        },
        {
            "allowedMemberTypes": [
                "User"
            ],
            "description": "DOMAIN_ALIAS_RID_ADMIN-AWS",
            "displayName": "DOMAIN_ALIAS_RID_ADMIN-AWS,Azure_test1",
            "id": "ad3d751a-b615-4bf7-930b-c06a62712345",
            "isEnabled": true,
            "origin": "ServicePrincipal",
            "value": "arn:aws:iam::832879212345:role/DOMAIN_ALIAS_RID_ADMIN-AWS,arn:aws:iam::832879212345:saml-provider/Azure_test1"
        }
    ],
    "info": {
        "termsOfServiceUrl": null,
        "supportUrl": null,
        "privacyStatementUrl": null,
        "marketingUrl": null,
        "logoUrl": null
    },
    "keyCredentials": [],
    "publishedPermissionScopes": [
        {
            "adminConsentDescription": "Allow the application to access AWS Single-Account Access on behalf of the signed-in user.",
            "adminConsentDisplayName": "Access AWS Single-Account Access",
            "id": "419e3996-3684-4265-890a-12345",
            "isEnabled": true,
            "type": "User",
            "userConsentDescription": "Allow the application to access AWS Single-Account Access on your behalf.",
            "userConsentDisplayName": "Access AWS Single-Account Access",
            "value": "user_impersonation"
        }
    ],
    "passwordCredentials": [],
    "resourceSpecificApplicationPermissions": []
}

Get the users and groups which are assigned to the AWS roles.

Acquire the users and groups details.

Request Example

https://graph.microsoft.com/beta/servicePrincipals/{AWS Single-Account Access object id}/appRoleAssignedTo

Response Example

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#appRoleAssignments",
    "value": [
        {
            "@odata.id": "https://graph.microsoft.com/v2/154dccc9-b44e-4883-860c-12345/directoryObjects/$/Microsoft.DirectoryServices.ServicePrincipal('726e2abf-b192-462d-a977-12345')/appRoleAssignedTo/v9raS1IPQkuV98HJH2Uqhsg4ilzG80ZOi0OMy-8m5iw",
            "id": "v9raS1IPQkuV98HJH2Uqhsg4ilzG80ZOi0OMy-8m5iw",
            "creationTimestamp": "2021-09-09T11:45:26.3084935Z",
            "appRoleId": "d3a9b01b-1736-4f1b-ac5f-12345",
            "principalDisplayName": "anatoly_azure_gr1",
            "principalId": "4bdadabf-0f52-4b42-95f7-12345",
            "principalType": "Group",
            "resourceDisplayName": "AWS Single-Account Access",
            "resourceId": "726e2abf-b192-462d-a977-12345"
        },
        {
            "@odata.id": "https://graph.microsoft.com/v2/154dccc9-b44e-4883-860c-12345/directoryObjects/$/Microsoft.DirectoryServices.ServicePrincipal('726e2abf-b192-462d-a977-12345')/appRoleAssignedTo/CF0PHVm9hka00WBTgEPxaoZKebW4inxCsBpqIGxRwFI",
            "id": "CF0PHVm9hka00WBTgEPxaoZKebW4inxCsBpqIGxRwFI",
            "creationTimestamp": "2021-09-09T11:45:26.3302622Z",
            "appRoleId": "d3a9b01b-1736-4f1b-ac5f-12345",
            "principalDisplayName": "anatoly_azure_group3",
            "principalId": "1d0f5d08-bd59-4686-b4d1-12345",
            "principalType": "Group",
            "resourceDisplayName": "AWS Single-Account Access",
            "resourceId": "726e2abf-b192-462d-a977-12345"
        },
        {
            "@odata.id": "https://graph.microsoft.com/v2/154dccc9-b44e-4883-860c-12345/directoryObjects/$/Microsoft.DirectoryServices.ServicePrincipal('726e2abf-b192-462d-a977-12345')/appRoleAssignedTo/INRoSKbmpUaZrnYaVRU3XMRgM8C1kZ9GjHjSB9vW1e4",
            "id": "INRoSKbmpUaZrnYaVRU3XMRgM8C1kZ9GjHjSB9vW1e4",
            "creationTimestamp": "2021-09-09T11:32:47.4228653Z",
            "appRoleId": "277f83e1-4903-4b06-baf7-12345",
            "principalDisplayName": "Adiel",
            "principalId": "4868d420-e6a6-46a5-99ae-12345",
            "principalType": "User",
            "resourceDisplayName": "AWS Single-Account Access",
            "resourceId": "726e2abf-b192-462d-a977-12345"
        }
    ]
}