Reputation: 597
How to enable SAML Authentication for aws private api gateway
Architecture : Strictly Serverless Cloud - AWS
I've an application load balancer (internal) in front of a private api gateway and the requirement is to protect the load balancer endpoint with the enterprise SAML IdP. Lambdas, S3 are allowed, but Route 53, EC2 are not whitelisted to use on this account.
Problem here is what would be the relay state (final target) here after SAML authentication ? As the internal ALB and the private api gateway endpoints arent visible outside the AWS landscape, I dont understand how to land on the alb endpoint once the user is authenticated with the enterprise IdP ?
Many thannks !
Upvotes: 0
Views: 1453
Answers (1)
Reputation: 2580
To use the on-premise enterprise IdP with your ALB, the IdP and ALB must be able to talk to each other (via VPN or Direct Connect). you would then establish a trust relationship between your AWS account and the IdP and define an authentication action in a listener rule on your ALB.
Elastic Load Balancing uses the OIDC authorization code flow:
- When users direct requests to your ALB, the ALB authentication action will check if the session cookie exists on the incoming requests and check its validity. If the session cookie is set and valid then the ALB will route the request to the proper target group containing identity information (JWT token via X-AMZN-OIDC-* headers) that backend instances can use to identify the user. If the cookie is not present, the load balancer redirects the user to the IdP authorization endpoint so that the IdP can authenticate the user.
- The IdP then authenticates the user and redirects the user back to the load balancer with an authorization code. The ALB presents the code to the IdP token endpoint to get the ID token and access token.
- After the load balancer validates the ID token, it exchanges the access token with the IdP user info endpoint to get the user claims.
- The load balancer creates the authentication session cookie and sends it to the client so that the client can use it on subsequent requests.
Source:
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html
https://aws.amazon.com/blogs/aws/built-in-authentication-in-alb/
Upvotes: 1
Related Questions
- Amazon SP-API authentication
- How to add API Gateway custom authorizers in an AWS SAM template?
- How to add a lambda authorizer to AWS SAM application using the same API Gateway
- AWS SSO 'no access error' with Custom SAML application
- How to configure IAM authorizer for HTTP ApiGateway in AWS SAM?
- Proper way to connect Private API Gateway to VPC in SAM (AWS IAC)
- How to attach authorization/api key to the sam cli generated api?
- How can I get AWS credentials using a SAML token?
- How to enable ApiKeyRequired for an Api Method?
- AWS CLI SAML Integration