This is a pre-production deployment of Warehouse, however changes made here WILL affect the production instance of PyPI.
Latest Version Dependencies status unknown Test status unknown Test coverage unknown
Project Description
==============
AWS SAML Login
==============

.. image:: https://travis-ci.org/zalando/aws-saml-login.svg?branch=master
:target: https://travis-ci.org/zalando/aws-saml-login
:alt: Build Status

.. image:: https://coveralls.io/repos/zalando/aws-saml-login/badge.svg
:target: https://coveralls.io/r/zalando/aws-saml-login
:alt: Code Coverage

.. image:: https://img.shields.io/pypi/dw/aws-saml-login.svg
:target: https://pypi.python.org/pypi/aws-saml-login/
:alt: PyPI Downloads

.. image:: https://img.shields.io/pypi/v/aws-saml-login.svg
:target: https://pypi.python.org/pypi/aws-saml-login/
:alt: Latest PyPI version

.. image:: https://img.shields.io/pypi/l/aws-saml-login.svg
:target: https://pypi.python.org/pypi/aws-saml-login/
:alt: License

This Python package provides some helper functions to allow programmatic retrieval of temporary AWS credentials from STS_ (Security Token Service) when using federated login with `Shibboleth Identity Provider`_. Currently it supports only Shibboleth IDP.

The implementation relies on HTML parsing of the Shibboleth redirect page (HTML form) and the AWS role selection page.

This package requires Python 3.4.

Installation
============

.. code-block:: bash

$ sudo pip3 install --upgrade aws-saml-login

Usage
=====

.. code-block:: python

from aws_saml_login import authenticate, assume_role, write_aws_credentials, get_boto3_session

# authenticate against identity provider
saml_xml, roles = authenticate('https://shibboleth-idp.example.org', user, password)

print(roles)

# just use the first role here, we might display a user dialog to choose one
first_role = roles[0]

provider_arn, role_arn, account_name = first_role

# get temporary AWS credentials
key_id, secret, session_token = assume_role(saml_xml, provider_arn, role_arn)

# write to ~/.aws/credentials
write_aws_credentials('default', key_id, secret, session_token)

# get boto3 session
session = get_boto3_session(key_id, secret, session_token)
ec2 = session.resource('ec2', 'eu-west-1')
iam = session.client('iam')

# get boto3 session with default region eu-central-1
session = get_boto3_session(key_id, secret, session_token, 'eu-central-1')
ec2 = session.resource('ec2')

# get session for the first 5 roles
sessions = {}
for role in roles[:5]:
provider_arn, role_arn, account_name = role
key_id, secret, session_token, expiration = assume_role(saml_xml, provider_arn, role_arn)
sessions['{} {}'.format(account_name,role_arn.split(':')[-1])] = get_boto3_session(key_id, secret, session_token)

for key in sessions.keys():
print('Key: {} / AccountAlias: {}'
.format(key,
sessions[key].client('iam').list_account_aliases()['AccountAliases']))
# AWS SDK (e.g. boto) can be used to call AWS endpoints

.. _STS: http://docs.aws.amazon.com/STS/latest/UsingSTS/Welcome.html
.. _Shibboleth IDP: http://shibboleth.net/products/identity-provider.html


shibboleth configuration
========================

.. code-block:: xml

<rp:relyingpartygroup ...="">
...




<metadata:metadataprovider id="ShibbolethMetadata" xsi:type="metadata:ChainingMetadataProvider">
...
<metadata:metadataprovider id="amazon-webservices" xsi:type="metadata:FileBackedHTTPMetadataProvider" <br=""> metadataURL="https://signin.aws.amazon.com/static/saml-metadata.xml"
backingFile="shibboleth-idp/metadata/amazon-webservices.xml">
</metadata:metadataprovider>
...
</metadata:metadataprovider>
...
<rp:relyingparty id="urn:amazon:webservices" <br=""> provider="https://myidp.example.org/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<rp:profileconfiguration xsi:type="saml:SAML2SSOProfile" includeattributestatement="true" <br=""> assertionLifetime="PT5M" assertionProxyCount="0"
signResponses="never" signAssertions="always"
encryptAssertions="never" encryptNameIds="never"/>
</rp:relyingparty>
...
</rp:relyingpartygroup>

<resolver:attributeresolver ...="">
...



<resolver:attributedefinition id="awsRoles" xsi:type="ad:Mapped" sourceattributeid="memberof">
<resolver:dependency ref="corpLDAP"/>
<resolver:attributeencoder<br> xsi:type="enc:SAML2String"
name="https://aws.amazon.com/SAML/Attributes/Role"
friendlyName="Role" />
<ad:valuemap>
<ad:returnvalue>arn:aws:iam::$2:saml-provider/Shibboleth,arn:aws:iam::$2:role/Shibboleth-$1</ad:returnvalue>
<ad:sourcevalue ignorecase="true">cn=([^,]*),ou=Roles,ou=[^,]*?([0-9]+),ou=AWS.*</ad:sourcevalue>
</ad:valuemap>
</resolver:attributedefinition>

<resolver:attributedefinition id="awsRoleSessionName" xsi:type="ad:Simple" sourceattributeid="uid">
<resolver:dependency ref="corpLDAP"/>
<resolver:attributeencoder<br> xsi:type="enc:SAML2String"
name="https://aws.amazon.com/SAML/Attributes/RoleSessionName"
friendlyName="RoleSessionName" />
</resolver:attributedefinition>
...
</resolver:attributeresolver>

<afp:attributefilterpolicygroup ...="">
...
<afp:attributefilterpolicy id="afP_aws">
<afp:policyrequirementrule xsi:type="basic:AttributeRequesterString" value="urn:amazon:webservices"/>
<afp:attributerule attributeid="transientId">
<afp:permitvaluerule xsi:type="basic:ANY"/>
</afp:attributerule>
<afp:attributerule attributeid="awsRoles">
<afp:permitvaluerule xsi:type="basic:ANY"/>
</afp:attributerule>
<afp:attributerule attributeid="awsRoleSessionName">
<afp:permitvaluerule xsi:type="basic:ANY"/>
</afp:attributerule>
</afp:attributefilterpolicy>
...
</afp:attributefilterpolicygroup>

To login, you must open the right providerId with the Unsolicited/SSO URL:
https://myidp.example.org/profile/SAML2/Unsolicited/SSO?providerId=urn:amazon:webservices


License
=======

Copyright © 2015 Zalando SE

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Release History

Release History

1.0.11

This version

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

1.0.7

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.11

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.9

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.8

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.7

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.6

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.5

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.4

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.3

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.2

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

0.1

History Node

TODO: Figure out how to actually get changelog content.

Changelog content for this version goes here.

Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Show More

Download Files

Download Files

TODO: Brief introduction on what you do with files - including link to relevant help section.

File Name & Checksum SHA256 Checksum Help Version File Type Upload Date
aws_saml_login-1.0.11-py3-none-any.whl (10.4 kB) Copy SHA256 Checksum SHA256 3.5 Wheel Nov 10, 2016
aws-saml-login-1.0.11.tar.gz (8.2 kB) Copy SHA256 Checksum SHA256 Source Nov 10, 2016

Supported By

WebFaction WebFaction Technical Writing Elastic Elastic Search Pingdom Pingdom Monitoring Dyn Dyn DNS HPE HPE Development Sentry Sentry Error Logging CloudAMQP CloudAMQP RabbitMQ Heroku Heroku PaaS Kabu Creative Kabu Creative UX & Design Fastly Fastly CDN DigiCert DigiCert EV Certificate Rackspace Rackspace Cloud Servers DreamHost DreamHost Log Hosting