Is there any documentation for integrating aws-runas with onelogin?

[dlethin]

I see looking through the codebase there seems to be some support for getting SAML authentication working with OneLogin. However, its not immediately obvious to me how to do this. I have the aws application configured in our onelogin account, and I was able to get saml2aws working with it, but it required a bit of configuration including setting up an authentication token and secret, app_id, etc. I presume aws-runas needs these values as well and I see reference to them in the code, but my go-lang skills are lite so its not immediately obvious to reverse engineer the code and find where they should be placed. Am I missing something obvious?

I'm trying to run the following and get this error:

./aws-runas-2.0.5-darwin-amd64 -S https://[SUBDOMAIN-REDACTED].onelogin.com/saml/auth
2020/05/08 17:12:20 FATAL missing token query parameter

Maybe that's not the right url? Any guidance would be much appreciated?

thanks.

[dlethin]

Maybe looking at the onelogin_client_test.go code provides some more clues.

Maybe this is the url I need and I have to provide a token somehow:

https://[SUBDOMAIN-REDACTED].onelogin.com/trust/saml2/http-post/sso/MY-APP_ID?token=XXX

will continue digging...

[mmmorris1975]

Hello Doug, sorry about the lack of info for getting this configured. OneLogin has been one of the more challenging integrations due to the requirement to use the API credentials, and I can understand the confusion and frustration.

There's no good way to make these API credentials super-secure, since they need to be shared with pretty much everyone who will use OneLogin as the integration with AWS using aws-runas. The best I found at this point, was to make sure that the API credentials you are sharing are scoped to be 'Authentication Only'.

All of that said, for that 'token' query string parameter, aws-runas is expecting the base64 encoded value of the API Client ID and API Client Secret, joined by a ':'. For example:

echo 'client_id:client_secret' | base64

if you happen to have access a Mac or Linux system. (Linux systems may need an additional -w0 argument to the base64 command to disable line wrapping)

So a URL which could be set for aws-runas would look something like:

https://[SUBDOMAIN-REDACTED].onelogin.com/trust/saml2/http-post/sso/MY-APP_ID?token=Y2xpZW50X2lkOmNsaWVudF9zZWNyZXQK

(where the token parameter is literally the result of the base64 command above)

Hopefully that gets you up and running, and I'll work on getting some notes in the code as well as start to develop some IdP specific configuration documentation so folks to have to try to find a magic comment in the source code.

[dlethin]

Thank's so much for the pointers and fast response. That's what I needed to get me over the hump and I'm able to authenticate with my onelogin aws application. Very cool.

I had two followup questions.

1. There is mention in the your doc about caching of credentials and I can see some hidden files getting placed in the ~/.aws directory, but each time I run aws-runas, I am prompted for my password and MFA token. I would assume my temporary credentials would at least last for an hour before I'm asked.

2. Your documentation suggests the SAML password can be obfuscated and stored in the credentials file using the command aws password <my-profile>, but I don't see the aws cli having a pasword subcommand. Am I misunderstanding something here?

Thanks again for sharing this tool.

[mmmorris1975]

Glad that was able to get you going! I'll answer your follow ups in reverse order

The password thing may be a typo in the docs. It should read aws-runas password <my-profile> I'll track down that typo and get that updated.

As I was revisiting the OneLogin logic, I realized that while aws-runas is caching the credentials from AWS, the processes for interacting with OneLogin is different then the other IdPs in that when we request the SAML assertion the OneLogin API requires that we pass the user's credentials every time, and OneLogin doesn't maintain the state of a user's login when using the API in the way I am. I checked out the saml2aws code, and it looks like we both went down the same route, so I expect that their tool would behave similarly in that it will require the credentials every time it's run. I have an idea that I'd like to try, which will change how we interact with OneLogin in a way such that we're able to maintain a user's login state, and are still able to request the AWS SAML assertion. The one downside is that it would require a new url endpoint when configuring OneLogin, but the upside is that this new way should allow for the OneLogin authentication state to get cached, so you can avoid that password and mfa prompt every time you run the tool. I think I can have something workable in the next day or 2, and will let you know.

[mmmorris1975]

I used some different parts of the OneLogin API and it seems that it is behaving like the other SAML clients, and not prompting you to login each time. It will require a change to the saml_auth_url you are configuring for OneLogin.

The new URL is in the general form of:

https://my-tenant.onelogin.com/trust/saml2/launch/__app-id__

where the app-id value can be found on the user's application landing page, hovering over the OneLogin AWS Application, and getting the last element in the URL path.

You'll need to use version 2.1.0 of aws-runas to get this fix.

[dlethin]

I've finally gotten back to testing this out. Seems to work great. Thanks for the fix! Cheers, and be safe!