fbpx

How exactly to integrate AWS STS Source Identity together with your identity provider

You can use third-party identity providers (IdPs) such as Okta, Ping, or OneLogin to federate with the AWS Identity and Access Management (IAM) service using SAML 2.0, allowing your workforce to configure services by providing authorization access to the AWS Management Console or Command Line Interface (CLI). When you federate to AWS, you assume a role through the AWS Security Token Service (AWS STS) , which through the AssumeRole API returns a set of temporary security credentials you then use to access AWS resources. The use of temporary credentials can make it challenging for administrators to trace which identity was responsible for actions performed.

To address this, with AWS STS you set a unique attribute called SourceIdentity, which allows you to see which identity is responsible for a given action easily.

This post shall show you how to set up the AWS STS SourceIdentity attribute when using Okta, Ping, or OneLogin as your IdP. Your IdP administrator can configure a corporate directory attribute, such as an email address, to be passed as the SourceIdentity value within the SAML assertion. This value is stored as the SourceIdentity element in AWS CloudTrail, along with the activity performed by the assumed role. This post shall also show you how to set up a sample policy for setting the SourceIdentity when switching roles. Finally, as an administrator reviewing CloudTrail activity, you can use the source identity information to determine who performed which actions. We will walk you through CloudTrail logs from two accounts to demonstrate the continuance of the source identity attribute, showing you how the SourceIdentity will appear in both accounts’ logs.

For more information about the SAML authentication flow in AWS services, see AWS Access and Identity Management Using SAML. For more information about using SourceIdentity, see How to relate IAM role activity to corporate identity.

Configure the SourceIdentity attribute with Okta integration

You shall do this portion of the configuration within the Okta administrative console. This procedure assumes that you have a configured AWS and Okta integration previously. If not, you can configure your integration by following the instructions in the Okta AWS Multi-Account Configuration Guide. You will use the Okta to SAML configure and integration an optional attribute to map as the SourceIdentity.

To set up Okta with SourceIdentity

    1. Log in to the Okta admin console.
    1. Navigate to Applications–AWS.
    1. In the top navigation bar, select the Sign On tab, as shown in Figure 1.

      Figure 1 - Navigate to attributes in SAML settings on the Okta applications page

      Figure 1 – Navigate to attributes in SAML settings on the Okta applications page

    1. Under Sign on methods, select SAML 2.0, and choose the arrow next to Attributes (Optional) to expand, as shown in Figure 2.

      Figure 2 - Add new attribute SourceIdentity and map it to Okta provided attribute of your choice

      Figure 2 – Add new attribute map and SourceIdentity it to Okta provided attribute of your choice

    1. Add the optional attribute definition for SourceIdentity using the following parameters:
        • For Name, enter:
          https://aws.amazon.com/SAML/Attributes/SourceIdentity
        • For Name format, choose URI Reference.
        • For Value, enter user.login.

      Note: The Name format options are the following:
      Unspecified – can be any format defined by the Okta profile and must be interpreted by your application.
      URI Reference – the true name is provided as a Uniform Resource Identifier string.
      Basic – a simple string; the default if no other format is specified.

The examples shown in Figure 1 and Figure 2 show how to map an email address to the SourceIdentity attribute by using an on-premises Active Directory sync. The SourceIdentity can be mapped to other attributes from your Active Directory.

Configure the SourceIdentity attribute with PingOne integration

This portion is done by you of the configuration in the Ping Identity administrative console. This procedure assumes that you have a configured AWS and Ping integration previously. If not, you can set up the PingFederate AWS Connector by following the Ping Identity instructions Configuring an SSO connection to Amazon Web Services.

You’re using the Ping to SAML integration and configuring an optional attribute to map as the source identity.

Configuring PingOne as an IdP involves setting up an identity repository (in this case, the PingOne Directory), creating a user group, and adding users to the individual groups.

To configure PingOne as an IdP for AWS

    1. Navigate to https://admin.pingone.com/ and log in using your administrator credentials.
    1. Choose the My Applications tab, as shown in Figure 3.

      Figure 3. PingOne My Applications tab

      Figure 3. PingOne My Applications tab

    1. On the Amazon Web Services line, choose on the arrow on the right side to show application details to edit and add a new attribute for the source identity.
    1. Choose Continue to Next Step to open the Attribute Mapping section, as shown in Figure 4.

      Figure 4. Attribute mappings

      Figure 4. Attribute mappings

    1. In the Attribute Mapping section line 1, for SAML_SUBJECT, choose Advanced.
    1. On the Advanced Attribute Options page, for Name ID Format to send to SP select urn:oasis:names:tc:SAML:2.0:nameid-format:persistent. For IDP Attribute Literal or Name Value, select SAML_SUBJECT, as shown in Figure 4.

      Figure 5. Advanced Attribute Options for SAML_SUBJECT

      Figure 5. Advanced Attribute Options for SAML_SUBJECT

    1. In the Attribute Mapping section line 2 as shown in Figure 4, for the application attribute https://aws.amazon.com/SAML/Attributes/Role, select Advanced.
    1. On the Advanced Attribute Options page, for Name Format, select urn:oasis:names:tc:SAML:2.0:attrname-format:uri, as shown in Figure 6.

      Figure 6. Advanced Attribute Options for https://aws.amazon.com/SAML/Attributes/Role

      Figure 6. Advanced Attribute Options for https://aws.amazon.com/SAML/Attributes/Role

    1. In the Attribute Mapping section line 2 as shown in Figure 4, select As Literal.
    1. For IDP Attribute Name or Literal Value, format the role and provider ARNs (which are not yet created on the AWS side) in the following format. Be sure to replace the placeholders with your own values. Make a note of the role SAML and name provider name, as you will be using these exact names to create an IAM role and an IAM provider on the AWS side.arn:aws:iam:::role/,arn:aws:iam:: :::saml-provider/
    1. In the Attribute Mapping section line 3 as shown in Figure 4, for the application attribute https://aws.amazon.com/SAML/Attributes/RoleSessionName, enter Email (Work).
    1. In the Attribute Mapping section as shown in Figure 4, to create line 5, choose Add a new attribute in the lower left.
    1. In the added &lt newly;strong>Attribute Mapping section line 5 as shown in Figure 4, add the SourceIdentity.
        • For Application Attribute, enter:
          https://aws.amazon.com/SAML/Attributes/SourceIdentity
        • For Identity Bridge Literal or Attribute Value, enter:
          SAML_SUBJECT
    1. Choose Continue to Next Step in the lower right.
    1. For Group Access, add your existing PingOne Directory Group to this application.
    1. Review your setup configuration, as shown in Figure 7, and choose Finish.

      Figure 7. Review mappings

      Figure 7. Review mappings

Configure the SourceIdentity attribute with OneLogin integration

For the OneLogin SAML integration with AWS, the &lt is used by you;strong>Amazon Web Services Multi Account configure and application an optional attribute to map as the SourceIdentity. This portion is done by you of the configuration in the OneLogin administrative console.

This procedure assumes that you have a previously configured AWS and OneLogin integration already. For information about how to configure the OneLogin application for AWS authorization and authentication, see the OneLogin KB article Configure SAML for Amazon Web Services (AWS) with Multiple Accounts and Roles.

After the OneLogin Multi Account application and AWS are configured for SAML login correctly, you can customize the application to pass the &lt further;span>SourceIdentity parameter upon login.

To change OneLogin configuration to add SourceIdentity attribute

    1. In the OneLogin administrative console, in the Amazon Web Services Multi Account application, on the app administration page, navigate to Parameters, as shown in Figure 8.

      Figure 8. OneLogin AWS Multi Account Application Configuration Parameters

      Figure 8. OneLogin AWS Multi Account Application Configuration Parameters

    1. To add a parameter, choose the + (plus) icon to the right of Value.
    1. As shown in Figure 9, for Field Name enter https://aws.amazon.com/SAML/Attributes/SourceIdentity, select Include in SAML assertion, choose &lt then;strong>Save.

      Figure 9. OneLogin AWS Multi Account Application add new field

      Figure 9. OneLogin AWS Multi Account Application add new field

    1. In the Edit Field page, select the default value you want to use for SourceIdentity. For the example in this blog post, for Value, select Email, then choose Save, as shown in Figure 10.

      Figure 10. OneLogin AWS Multi Account Application map new field to email

      Figure 10. OneLogin AWS Multi Account Application map new field to email

After you’ve completed this procedure, review the final mapping details, as shown in Figure 11, to confirm that you see the additional parameter that will be passed into AWS through the SAML assertion.

Figure 11. OneLogin AWS Multi Account Application final mapping details

Figure 11. OneLogin AWS Multi Account Application final mapping details

Configuring AWS IAM role trust policy

That the IdP configuration is complete now, you can enable your AWS accounts to use SourceIdentity by modifying the IAM role trust policy.

For the workforce application or identity to be able to define their source identity when they assume IAM roles, you must grant them permission for the &lt first;span>sts:SetSourceIdentity action, as illustrated in the sample policy document below. This will permit the workforce application or identity to set the SourceIdentity themselves without any need for manual intervention.

To modify an AWS IAM role trust policy

    1. Log in to the AWS Management Console for your account as a user with privileges to configure an IdP, an administrator typically.
    1. Navigate to the AWS IAM service.
    1. For trusted identity, choose SAML 2.0 federation.
    1. From the SAML Provider drop down menu, select the IAM provider you previously created.
    1. Modify the role trust policy and add the SetSourceIdentity action.

Sample policy document

This is a sample policy document attached to a role you assume when you log in to Account1 from the Okta dashboard. Edit your Account1/Role1 trust policy document and add sts:AssumeRoleWithSAML and sts:setSourceIdentity to the Action section.


 

“Version”: “2012-10-17”,
“Statement”: [

  "Effect": "Allow",
  "Principal": 
    "Federated": "arn:aws:iam::    :saml-provider/    "
  ,
  "Action": [
    "sts:AssumeRoleWithSAML",
    "sts:SetSourceIdentity"
  ],
  "Condition": 
    "StringEquals": 
      "SAML:aud": "https://signin.aws.amazon.com/saml"

]

Notes: The SetSourceIdentity action has to be allowed in the trust policy for assumeRole to work when the IdP is set up to pass SourceIdentity in the assertion. Future version of the sign-in URL might contain a Region code. When this occurs, you will need to appropriately modify the URL.

Policy statement

The following are examples of how the relative line “Federated”: “arn:aws:iam:::saml-provider/” should look, based on the different IdPs specified in this post:

    • “Federated”: “arn:aws:iam::12345678990:saml-provider/Okta”
    • “Federated”: “arn:aws:iam::12345678990:saml-provider/PingOne”
    • “Federated”: “arn:aws:iam::12345678990:saml-provider/OneLogin”

Modify Account2/Role2 policy statement

The following is a sample access control policy document in Account2 for Role2 that allows you to switchRole from Account1. Edit the control policy and add sts:AssumeRole and sts:SetSourceIdentity in the Action section.


 

“Version”: “2012-10-17”,
“Statement”: [

  "Effect": "Allow",
  "Principal": 
    "AWS": "arn:aws:iam::    :root"
  ,
  "Action": [
    "sts:AssumeRole",
    "sts:SetSourceIdentity"
  ] 

]

Trace the SourceIdentity attribute in AWS CloudTrail

Use the following procedure for each IdP to illustrate passing a corporate directory attribute mapped as the SourceIdentity .

To trace the SourceIdentity attribute in AWS CloudTrail

    1. Use an IdP to log in to an account Account1 ( 111122223333 ) using a role named Role1 .
    1. Create a new Amazon Simple Storage Service (Amazon S3) bucket in Account1 .
    1. Validate that the CloudTrail log entries for Account1 contain the Active Directory mapped SourceIdentity .
    1. Use the Switch Role feature to switch to a second account Account2 ( 444455556666 ), using a role named Role2 .
    1. Create a new Amazon S3 bucket in Account2 .

To summarize what you’ve done so far, you have:

    • Configured your corporate directory to pass a unique attribute to AWS as the source identity.
    • Configured a role that will persist the SourceIdentity attribute in AWS STS, which an employee shall use to federate into your account.
    • Configured an Amazon S3 bucket that user shall access.

Now you’ll observe in CloudTrail the SourceIdentity attribute that will be associated with every IAM action.

To see the SourceIdentity attribute in CloudTrail

    1. From the your preferred IdP dashboard, select the AWS tile to log into the AWS console. The example in Figure 12 shows the Okta dashboard.

      Figure 12. Login to AWS from IdP dashboard

      Figure 12. Login to AWS from IdP dashboard

    1. Choose the AWS icon, which will take you to the AWS Management Console. Notice how the user has earlier assumed the role you created.
    1. To test the SourceIdentity action, you shall create a new Amazon S3 bucket.Amazon S3 bucket names are unique globally, and the namespace is shared by all AWS accounts, so you shall need to create a unique bucket name in your account. For this example, we used a bucket named DOC-EXAMPLE-BUCKET1 to validate CloudTrail log entries containing the SourceIdentity attribute.
    1. Log into an account Account1 ( 111122223333 ) using a role named Role1 .
    1. Next, create a new Amazon S3 bucket in Account1 , and validate that the Account1 CloudTrail logs entries contain the SourceIdentity attribute.
    1. Create an Amazon S3 bucket called DOC-EXAMPLE-BUCKET1 , as shown in Figure 13.

      Figure 13. Create S3 bucket

      Figure 13. Create S3 bucket

    1. In the AWS Management Console go to CloudTrail and check the log entry for bucket creation event, as shown in Figure 14.

      Figure 14 - Bucket creating entry in CloudTrail

      Figure 14 – Bucket creating entry in CloudTrail

Sample CloudTrail entry showing SourceIdentity entry

The following example shows the new sourceIdentity entry added to the JSON message for the CreateBucket event above.

 "eventVersion":"1.08",
"userIdentity":
    "type":"AssumedRole",
    "principalId":"AROA42BPHP3V5TTJH32PZ:sourceidentitytest",
    "arn":"arn:aws:sts::111122223333:assumed-role/idsol-org-admin/sourceidentitytest",
    "accountId":"111122223333",
    "accessKeyId":"ASIA42BPHP3V2QJBW7WJ",
    "sessionContext":
        "sessionIssuer":
            "type":"Role",
            "principalId":"AROA42BPHP3V5TTJH32PZ",
            "arn":"arn:aws:iam::111122223333:role/idsol-org-admin",
            "accountId":"111122223333","userName":"idsol-org-admin"
        ,
        "webIdFederationData":,
        "attributes":
            "mfaAuthenticated":"false",
            "creationDate":"2021-05-05T16:29:19Z"
        ,
        "sourceIdentity":"  <sourceidentitytest@example.com>  "

,
"eventTime":"2021-05-05T16:33:25Z",
"eventSource":"s3.amazonaws.com",
"eventName":"CreateBucket",
"awsRegion":"us-east-1",
"sourceIPAddress":"203.0.113.0" 
    1. Switch to Account2 ( 444455556666 ) using assume role, and switch to Account2/ assumeRoleSourceIdentity .
    1. Create a new Amazon S3 bucket in Account2 and validate that the Account2 CloudTrail log entries contain the SourceIdentity attribute, as shown in Figure 15.

      Figure 15 - Switch role to assumeRoleSourceIdentity

      Figure 15 – Switch role to assumeRoleSourceIdentity

    1. Create a new Amazon S3 bucket in account2 called DOC-EXAMPLE-BUCKET2 , as shown in Figure 16.

      Figure 16 - Create DOC-EXAMPLE-BUCKET2 bucket while logged into account2 using assumeRoleSourceIdentity

      Figure 16 – Create DOC-EXAMPLE-BUCKET2 bucket while logged into account2 using assumeRoleSourceIdentity

    1. Check the CloudTrail logs for account2 ( 444455556666 ) to see if the original SourceIdentity is logged, as shown in Figure 17.

      Figure 17 - CloudTrail log entry for the above action

      Figure 17 – CloudTrail log entry for the above action

CloudTrail entry showing original SourceIdentity after assuming a role

 
    "eventVersion": "1.08",
    "userIdentity": 
        "type": "AssumedRole",
        "principalId": "AROAVC5CY2KJCIXJLPMQE:sourceidentitytest",
        "arn": "arn:aws:sts::444455556666:assumed-role/s3assumeRoleSourceIdentity/sourceidentitytest",
        "accountId": "444455556666",
        "accessKeyId": "ASIAVC5CY2KJIAO7CGA6",
        "sessionContext": 
            "sessionIssuer": 
                "type": "Role",
                "principalId": "AROAVC5CY2KJCIXJLPMQE",
                "arn": "arn:aws:iam::444455556666:role/s3assumeRoleSourceIdentity",
                "accountId": "444455556666",
                "userName": "s3assumeRoleSourceIdentity"
            ,
            "webIdFederationData": ,
            "attributes": 
                "mfaAuthenticated": "false",
                "creationDate": "2021-05-05T16:47:41Z"
            ,
            "sourceIdentity": "  <sourceidentitytest@example.com>  "
,
"eventTime": "2021-05-05T16:48:53Z",
"eventSource": "s3.amazonaws.com",
"eventName": "CreateBucket",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.0", 

You logged into Account1/Role1 and switched to Account2/Role2 . All the user activities performed in AWS using the Assume Role were also logged with the original user’s sourceIdentity attribute. This makes it simple to trace user activity in CloudTrail.

Conclusion

Now that you have configured your SourceIdentity , you have made it easier for the security team of your organization to use CloudTrail logs to investigate and identify the originating identity of a user. In this post, you learned how to configure the AWS STS SourceIdentity attribute for three different popular IdPs, as well as how to configure each IdP using SAML and their optional attributes. We also provided sample control policy documents outlining how to configure the SourceIdentity for each provider. Additionally, we provide a sample policy for setting the SourceIdentity when switching roles. Lastly, the post walks through how the source identity shall show in CloudTrail logs, and provides logs from two accounts to demonstrate the continuance of the source identity attribute. You can test this capability yourself in your own environment now, validate activity in your CloudTrail logs, and determine which user performed a specific action while using the assumeRole functionality.

If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support .

Want more AWS Security news? Follow us on Twitter .