将AWS CloudFront连接到单一登录(SSO)
[英]Connect AWS CloudFront to Single Sign-On (SSO)
问题描述
I'm working on a website deployed to AWS using S3 as storage and CloudFront CDN. 
我正在使用S3作为存储和CloudFront CDN部署到AWS的网站上工作。 It's a static website with a single html file using JS to display the content based on the querystring. 这是一个静态网站,使用JS单个HTML文件显示基于查询字符串的内容。 The owner is an enterprise that already has established SSO within their organization, they use IBM Tivoli as the IdP. 所有者是已经在其组织内建立SSO的企业,他们使用IBM Tivoli作为IdP。 The part I'm missing is how does the request for authorization get generated? 我缺少的部分是如何生成授权请求?
I've read through these: 我已阅读以下内容:
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp.html http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html http://docs.aws。 amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp.html http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html http://docs.aws.amazon.com/ IAM / latest / UserGuide / id_roles_providers_create_saml.html http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html
Many of these are close but just off the mark. 其中许多都是接近的,但还差得远。 It's not an EC2 instance, it's not Elastic Beanstalk, I'm not trying access the AWS console, and they don't use AD for SSO. 它不是EC2实例,不是Elastic Beanstalk,我不是在尝试访问AWS控制台,并且它们不将AD用于SSO。 It's just a website. 这只是一个网站。
So far I have: 到目前为止,我有:
- created the SAML provider in AWS and imported the metadata from their IdP 在AWS中创建了SAML提供程序,并从其IdP中导入了元数据
- created the IAM role 创建了IAM角色
- established the trust relationship between role and provider 建立角色与提供者之间的信任关系
- established the s3:getObject permission for the role 建立角色的s3:getObject权限
- provided them with the metadata from AWS with the specifics about the SAML assertions that need to be provided. 向他们提供了来自AWS的元数据,其中包含需要提供的有关SAML断言的详细信息。
My question is how the two sides get connected. 我的问题是双方如何建立联系。 Is it automatically done by AWS when anyone attempts to access the site? 当任何人尝试访问该网站时,AWS会自动完成吗? Does the enterprise create a special link in their portal to start the site with the SAML? 企业是否在其门户中创建特殊链接以使用SAML启动网站? What happens if the user just types in the domain name in the browser? 如果用户仅在浏览器中键入域名会怎样? Does code need to be added to the website? 是否需要将代码添加到网站?
TIA, Mike TIA,迈克
1 个解决方案
解决方案1
4 已采纳 2017-06-04 15:47:35
Circling back to close out this question. 盘旋以结束这个问题。 I found that AWS doesn't have a way to add an SSO layer to your CloudFront hosted website. 我发现AWS无法将SSO层添加到您的CloudFront托管网站中。 That needs to be implemented within the website's code. 这需要在网站的代码中实现。
I wound up using the npm module 'express-saml' to handle the saml exchange and a really simple DynamoDB table for storing the login on the SP side. 我使用npm模块'express-saml'处理了saml交换,并使用了一个非常简单的DynamoDB表将登录名存储在SP端。 The aws-sdk is used for DynamoDB. aws-sdk用于DynamoDB。
Mike 麦克风
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.