jmhld (jmhld) asked a question.
We are facing the following problem when configuring our AWS SAML federated application.
We may have users that belong to multiple Okta groups, let say: Dev and Infra
For each of these groups we map an AWS role Dev=>admin-limited and Infra=>admin
We would like to avoid having a SAML response with both AWS roles like (leading to a screen with a role selection radio buttons):
<saml2:Attribute Name="https://aws.amazon.com/SAML/Attributes/Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">arn:aws:iam::123456789:saml-provider/okta,arn:aws:iam::123456789:role/admin</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">arn:aws:iam::123456789:saml-provider/okta,arn:aws:iam::123456789:role/admin-limited</saml2:AttributeValue>
</saml2:Attribute>
So instead of proposing the 2 mapped roles, we want to select the most permissif role.
If that is not possible, we would be interested to select to highest priority okta group only: Infra.
Hi!
So with what you have in place currently, please take a look at the following:
Assign attribute group priority
and
Group prioritization use case
Does this help to resolve your concern? This should allow Okta to interpret the highest priority group when evaluating a user who is a member of more than one.
Additionally, I would suggest that you look into AWS SSO (Now known as IAM Identity Center), as it allows for more flexible options within AWS itself.
Thanks and good luck!