Mapping Extractions from IDPs
This section provide the steps to extract mappings from the following IDPs:
- Okta
- ADFS
- Azure AD
- Ping
Okta
In Okta, use the Okta API Reference Overview: Okta Developer, to get the Active Directory identities - AWS identities mappings.
-
Get the AWS application and extract the Account ID from the
identityProviderArn
property.Okta Documentation
Request Example
https://{yourOktaDomain}/api/v1/apps/{applicationId}
Response Example
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117
{ "id": "0oapruvo3xnNEuI12345", "name": "amazon_aws", "label": "AWS Account Federation", "status": "ACTIVE", "lastUpdated": "2021-08-02T14:51:07.000Z", "created": "2021-07-22T11:00:28.000Z", "accessibility": { "selfService": false, "errorRedirectUrl": null, "loginRedirectUrl": null }, "visibility": { "autoLaunch": false, "autoSubmitToolbar": true, "hide": { "iOS": false, "web": false }, "appLinks": { "login": true } }, "features": [ "PUSH_NEW_USERS", "PUSH_PROFILE_UPDATES" ], "signOnMode": "SAML_2_0", "credentials": { "userNameTemplate": { "template": "${source.login}", "type": "BUILT_IN" }, "signing": { "kid": "BNfWuNclhWcvmRpgv2C8MoP1A34vLbDMNQ2odOK97VY" } }, "settings": { "app": { "appFilter": "okta", "groupFilter": "aws_(?{{accountid}}\\d+)_(?{{role}}[a-zA-Z0-9+=,.@\\-_]+)", "secretKey": null, "useGroupMapping": true, "joinAllRoles": true, "identityProviderArn": "arn:aws:iam::832879212345:saml-provider/okta2", "overrideAcsURL": null, "sessionDuration": 3600, "roleValuePattern": "arn:aws:iam::${accountid}:saml-provider/okta2, arn:aws:iam::${accountid}:role/${role}", "awsEnvironmentType": "aws.amazon", "accessKey": null, "loginURL": "https://console.aws.amazon.com/ec2/home", "secretKeyEnc": null }, "notifications": { "vpn": { "network": { "connection": "DISABLED" }, "message": null, "helpUrl": null } }, "notes": { "admin": null, "enduser": null }, "signOn": { "defaultRelayState": null, "ssoAcsUrlOverride": null, "audienceOverride": null, "recipientOverride": null, "destinationOverride": null, "attributeStatements": [] } }, "_links": { "help": { "href": "https://sailpointamirmono-admin.okta.com/app/amazon_aws/0oapruvo3xnNEuI12345/setup/help/SAML_2_0/external-doc", "type": "text/html" }, "metadata": { "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345/sso/saml/metadata", "type": "application/xml" }, "uploadLogo": { "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345/logo", "hints": { "allow": [ "POST" ] } }, "appLinks": [ { "name": "login", "href": "https://sailpointamirmono.okta.com/home/amazon_aws/0oapruvo3xnNEuI12345/272", "type": "text/html" } ], "groups": { "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345/groups" }, "logo": [ { "name": "medium", "href": "https://ok14static.oktacdn.com/fs/bcg/4/gfs1f2p5y2qNcK02w1d8", "type": "image/png" } ], "users": { "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345/users" }, "deactivate": { "href": "https://sailpointamirmono.okta.com/api/v1/apps/0oapruvo3xnNEuI12345/lifecycle/deactivate" } } }
-
Get the applications users and groups and extract the role names from "profile" > "role".
-
Build the role ARN from the Account ID and Role Name and get the user and group Okta ID.
Request Example
https://{yourOktaDomain}/api/v1/apps/{applicationId}/users
https://{yourOktaDomain}/api/v1/apps/{applicationId}/groups
Response Example
-
List all the groups and users and get the groups and users names by the ID.
Request Example
https://{yourOktaDomain}/api/v1/groups
https://{yourOktaDomain}/api/v1/users
Response Example
ADFS
In ADFS, the Active Directory identities-AWS identities mapping is done on one of the Active Directory identity attributes.
For more information, see Establish Federated Access to AWS Resources by Using AD User Attributes. See - A. Configure an AD user’s account.
Filter all the users and groups with the specific attribute and export it to a csv or Excel file.
PS Example
Get-ADUser -Filter 'url -like "*AWS*"' -properties "url" | Export-Csv c:\file.csv
Response Example
Note
Remember that the response will be exported to a csv or Excel file.
Azure AD
In Azure AD, it is possible to get the AD identities-AWS identities mapping by using Microsoft Graph.
-
Get all the AWS account’s roles by the
AWS Single-Account Access
Object ID (one account per request). -
Acquire the roles ARNs.
Request Example
https://graph.microsoft.com/beta/servicePrincipals/{AWS Single-Account Access object id}
Response Example
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113
{ "@odata.context": "https://graph.microsoft.com/beta/$metadata#servicePrincipals/$entity", "@odata.id": "https://graph.microsoft.com/v2/154dccc9-b44e-4883-860c-12345/directoryObjects/726e2abf-b192-462d-a977-12345/Microsoft.DirectoryServices.ServicePrincipal", "id": "726e2abf-b192-462d-a977-12345", "deletedDateTime": null, "accountEnabled": true, "alternativeNames": [], "createdDateTime": "2021-09-05T11:27:45Z", "deviceManagementAppType": null, "appDescription": null, "appDisplayName": "AWS Single-Account Access", "appId": "944b9a2c-51dd-41eb-a018-12345", "applicationTemplateId": "8b1025e4-1dd2-430b-a150-12345", "appOwnerOrganizationId": "154dccc9-b44e-4883-860c-12345", "appRoleAssignmentRequired": true, "description": null, "disabledByMicrosoftStatus": null, "displayName": "AWS Single-Account Access", "errorUrl": null, "homepage": "https://signin.aws.amazon.com/saml?metadata=aws|ISV9.1|primary|z", "isAuthorizationServiceEnabled": false, "isManagementRestricted": null, "loginUrl": null, "logoutUrl": null, "notes": null, "notificationEmailAddresses": [ "admin@501.sailpointtechnologies.com" ], "preferredSingleSignOnMode": "saml", "preferredTokenSigningKeyEndDateTime": null, "preferredTokenSigningKeyThumbprint": null, "publisherName": "SailPoint Technologies, Inc.", "replyUrls": [ "https://signin.aws.amazon.com/saml" ], "samlMetadataUrl": null, "servicePrincipalNames": [ "944b9a2c-51dd-41eb-a018-12345" ], "servicePrincipalType": "Application", "signInAudience": "AzureADMyOrg", "tags": [ "WindowsAzureActiveDirectoryIntegratedApp" ], "tokenEncryptionKeyId": null, "samlSingleSignOnSettings": null, "verifiedPublisher": { "displayName": null, "verifiedPublisherId": null, "addedDateTime": null }, "addIns": [], "api": { "resourceSpecificApplicationPermissions": [] }, "appRoles": [ { "allowedMemberTypes": [ "User" ], "description": "msiam_access", "displayName": "msiam_access", "id": "7dfd756e-8c27-4472-b2b7-12345", "isEnabled": true, "origin": "Application", "value": null }, { "allowedMemberTypes": [ "User" ], "description": "ChessPlayersRole", "displayName": "ChessPlayersRole,Okta1", "id": "2d9e11e2-14c9-4f34-bf19-12345", "isEnabled": true, "origin": "ServicePrincipal", "value": "arn:aws:iam::832879212345:role/ChessPlayersRole,arn:aws:iam::832879212345:saml-provider/Okta1" }, { "allowedMemberTypes": [ "User" ], "description": "DOMAIN_ALIAS_RID_ADMIN-AWS", "displayName": "DOMAIN_ALIAS_RID_ADMIN-AWS,Azure_test1", "id": "ad3d751a-b615-4bf7-930b-c06a62712345", "isEnabled": true, "origin": "ServicePrincipal", "value": "arn:aws:iam::832879212345:role/DOMAIN_ALIAS_RID_ADMIN-AWS,arn:aws:iam::832879212345:saml-provider/Azure_test1" } ], "info": { "termsOfServiceUrl": null, "supportUrl": null, "privacyStatementUrl": null, "marketingUrl": null, "logoUrl": null }, "keyCredentials": [], "publishedPermissionScopes": [ { "adminConsentDescription": "Allow the application to access AWS Single-Account Access on behalf of the signed-in user.", "adminConsentDisplayName": "Access AWS Single-Account Access", "id": "419e3996-3684-4265-890a-12345", "isEnabled": true, "type": "User", "userConsentDescription": "Allow the application to access AWS Single-Account Access on your behalf.", "userConsentDisplayName": "Access AWS Single-Account Access", "value": "user_impersonation" } ], "passwordCredentials": [], "resourceSpecificApplicationPermissions": [] }
-
Get the users and groups which are assigned to the AWS roles.
-
Acquire the users and groups details.
Request Example
https://graph.microsoft.com/beta/servicePrincipals/{AWS Single-Account Access object id}/appRoleAssignedTo
Response Example