Menu
I'm working on a website deployed to AWS using S3 as storage and CloudFront CDN. It's a static website with a single html file using JS to display the content based on the querystring. The owner is an enterprise that already has established SSO within their organization, they use IBM Tivoli as the IdP. The part I'm missing is how does the request for authorization get generated?
I've read through these:
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp.html http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html
Many of these are close but just off the mark. It's not an EC2 instance, it's not Elastic Beanstalk, I'm not trying access the AWS console, and they don't use AD for SSO. It's just a website.
So far I have:
My question is how the two sides get connected. Is it automatically done by AWS when anyone attempts to access the site? Does the enterprise create a special link in their portal to start the site with the SAML? What happens if the user just types in the domain name in the browser? Does code need to be added to the website?
TIA, Mike
453
Circling back to close out this question. I found that AWS doesn't have a way to add an SSO layer to your CloudFront hosted website. That needs to be implemented within the website's code.
I wound up using the npm module 'express-saml' to handle the saml exchange and a really simple DynamoDB table for storing the login on the SP side. The aws-sdk is used for DynamoDB.
Mike
193
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
