I got SAML2 working to AWS IAM with Auth0 as my IDP, with a single role. Now, I am trying to implement rules to assign different AWS roles based on user app metadata. I have it working but I am wondering if this is the most efficient route. Thoughts?
function (user, context, callback) {
console.log('[before] user.app_metadata: ' + user.app_metadata.aws_role);
user.app_metadata = user.app_metadata || {};
if (user.app_metadata.aws_role === "AWS-FullAdmin") {
user.awsRole = 'arn:aws:iam:::role/Auth0-FullAdmin,arn:aws:iam::111:saml-provider/Auth0_SAML_Provider';
}
if (user.app_metadata.aws_role === "AWS-ReadOnlyAccounts") {
user.awsRole = 'arn:aws:iam::111:role/Auth0-ReadOnlyAccounts,arn:aws:iam::111:saml-provider/Auth0_SAML_Provider';
console.log('awsrole1 is : ' + user.awsRole);
}
user.awsRoleSession = user.name;
context.samlConfiguration.mappings = {
'https://aws.amazon.com/SAML/Attributes/Role': 'awsRole',
'https://aws.amazon.com/SAML/Attributes/RoleSessionName': 'awsRoleSession'
};
callback(null, user, context);
}
I’m just trying something simple, which is: if user has app metadata aws_role value of AWS-FullAdmin, then pass the Admin specific AWS attribute. If aws_role is ReadOnly, pass the read only attribute.