search

trek10inc / awsume

A utility for easily assuming AWS IAM roles from the command line.
https://awsu.me
MIT License
504 stars 91 forks source link

Saml assertion parsing not working with adfs due to namespaces #81

Closed faridnsh closed 1 year ago

faridnsh commented 4 years ago

I'm trying to create a saml plugin with adfs, and here's the saml response looks like:

<samlp:Response ID="..." Version="2.0" IssueInstant="2019-12-05T12:52:34.802Z"
                Destination="https://signin.aws.amazon.com/saml"
                Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://example.com/adfs/services/trust</Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <Assertion ID="..." IssueInstant="2019-12-05T12:52:34.802Z" Version="2.0"
               xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <Issuer>http://example.com/adfs/services/trust</Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
        <Subject>....</Subject>
        <Conditions NotBefore="2019-12-05T12:52:34.568Z" NotOnOrAfter="2019-12-05T13:52:34.568Z">....</Conditions>
        <AttributeStatement>
            <Attribute Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName">
                <AttributeValue>neshat</AttributeValue>
            </Attribute>
            <Attribute Name="https://aws.amazon.com/SAML/Attributes/Role">
                <AttributeValue>
                    arn:aws:iam::123456789012:saml-provider/ADFS,arn:aws:iam::123456789012:role/saml/ADFS/Admin
                </AttributeValue>
            </Attribute>
            <Attribute Name="https://aws.amazon.com/SAML/Attributes/SessionDuration">
                <AttributeValue>43200</AttributeValue>
            </Attribute>
        </AttributeStatement>
        <AuthnStatement AuthnInstant="2019-12-05T12:35:27.355Z" SessionIndex="...">....</AuthnStatement>
    </Assertion>
</samlp:Response>

As you can see the Attribute element that our code looks for and Attribute element and it's parent in my example don't have any explicit namespace.

Best way to do this is to ignore the namespaces, but well xml2dict doesn't have that feature, although someone made a pr but that project haven't had any activity since September, so I don't think it'd be merged anytime soon.

faridnsh commented 4 years ago

Meanwhile, this is how aws-adfs project does the same thing: https://github.com/venth/aws-adfs/blob/master/aws_adfs/roles_assertion_extractor.py#L33-L39

I would be happy to make a pr, copy pasting that code!

mbarneyjr commented 4 years ago

Hi @alFReD-NSH , apologies for the delay in getting back to you.

If you're still willing to make a PR, that would be great! I've lost some bandwidth to work on awsume recently

Tantalon commented 3 years ago

Just realised I raised a duplicate of this as #147 - sorry about that! The good news is I also raised a fix for it #148.

lhendrick-t10 commented 1 year ago

Closed By #148 , thanks again @Tantalon!