Caching SAML Assertion

[Mattias-]

Hi there, I'm considering an option to let gsts write the SAML assertion to disk and use it if possible. If a non expired assertion is found with matching sp-id and idp-id I suppose it could be used to assume any role without even launching puppeteer.

The use case I'm mainly interested in is to use the assertion with other tools (like aws sts assume-role-with-saml) for debugging and building scripts around gsts to select role ARNs in advance.

What do you think? This is not a feature request, I'm just considering if the project would be open for such contributions.

[ruimarinho]

Hi @Mattias- , sorry for not getting back to you earlier!

You mean something like --saml-assertion which, if set, would store the raw SAML response?

Are you able to provide a more concrete example of the use case?

[Mattias-]

Hi there @ruimarinho , Yes something like that! The main use case is to get a robust way of figuring out what roles that a user is able to assume and build some tooling around that. From the SAML assertion file it's possible to retrieve all roles that the user is able to assume. Ask the user to pick one of them. Continue with authentication.

A secondary use case I'm interested in is to improve the speed of assuming multiple roles in many accounts within a short time window. Since the SAML assertion is valid for multiple minutes I think it would be clever to re-use it.

[ruimarinho]

This will be released on the next major version, being drafted on https://github.com/ruimarinho/gsts/pull/82.