Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent untrusted OIDC Provider for SAML API #25

Open
agnel123 opened this issue Dec 13, 2024 · 5 comments
Open

Prevent untrusted OIDC Provider for SAML API #25

agnel123 opened this issue Dec 13, 2024 · 5 comments

Comments

@agnel123
Copy link

This code will prevent issusing sts tokens with AssumeRoleWithSAML if the request context does not contain SAML: aud with trusted identity providers.

{
            "Sid": "EnforceTrustedOIDCProvidersSAML",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "sts:AssumeRoleWithSAML",
            "Resource": "*",
            "Condition": {
                "StringNotEqualsIfExists": {
                    "SAML:aud": "https://signin.aws.amazon.com/saml",
                    "<SAML1:aud>": "audience name1",
                    "<SAML2:aud>": "audience name2"
                }
            }
}
@liwadman
Copy link
Contributor

Thank you for opening an issue. Could you expand upon what you mean a bit more?

@agnel123
Copy link
Author

When an identity center is configured to issue tokens, it will be used as mechanism to login to different aws account in specific organization. Identity center will use sts:AssumeRolewithSAML API to issue tokens with destination role in another aws account which contain SAML:aud": "https://signin.aws.amazon.com/saml in the request context. Now, we want to prevent all other request that tries to assume the role and issue the tokens for the destination to login. It will prevent all API Action sts:AssumeRoleWithSAML if request context does not "SAML:aud": "https://signin.aws.amazon.com/saml". We need to include only the trusted SAML:AUD which we trust in the organization.

@liwadman
Copy link
Contributor

liwadman commented Dec 13, 2024
edited
Loading

The saml:aud condition key is populated from the 'recipient' value in the subjectconfirmationdata element of a SAML assertion. This is in the IAM SAML documentation: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html

Which is to say that anyone in control of a SAML IDP can populate that value, and it cannot be trusted to identify AWS, or any other party. What the intended usage of that field is for a SAML SP to be able to tell if it is the intended recipient of a SAML assertion.

@agnel123
Copy link
Author

I see. What do you recommend to protect sts: AssumeRoleWithSAML API Action similar to sts: AssumeRoleWithWebIdentity?

@liwadman
Copy link
Contributor

I think it depends on the outcome you're trying to achieve. Can you provide more information on the problem you're trying to solve?

If this is security sensitive, you may also ask your account to setup a meeting and we can discuss further under NDA.

Thanks,

Liam

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@agnel123 @liwadman