SAML Role Attribute

AWS SAML Role Attribute[edit]

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html

You can use an Attribute element with the Name attribute set to https://aws.amazon.com/SAML/Attributes/Role. This element contains one or more AttributeValue elements that list the IAM identity provider and role to which the user is mapped by your IdP. The IAM role and IAM identity provider are specified as a comma-delimited pair of ARNs in the same format as the RoleArn and PrincipalArn parameters that are passed to AssumeRoleWithSAML. This element must contain at least one role-provider pair (AttributeValue element), and can contain multiple pairs. If the element contains multiple pairs, then the user is asked to choose which role to assume when they use WebSSO to sign into the AWS Management Console.

Important The value of the Name attribute in the Attribute tag is case-sensitive. It must be set to https://aws.amazon.com/SAML/Attributes/Role exactly.

<Attribute Name="https://aws.amazon.com/SAML/Attributes/Role">
  <AttributeValue>arn:aws:iam::account-number:role/role-name1,arn:aws:iam::account-number:saml-provider/provider-name</AttributeValue>
  <AttributeValue>arn:aws:iam::account-number:role/role-name2,arn:aws:iam::account-number:saml-provider/provider-name</AttributeValue>
  <AttributeValue>arn:aws:iam::account-number:role/role-name3,arn:aws:iam::account-number:saml-provider/provider-name</AttributeValue>
</Attribute>

• Read: https://forums.aws.amazon.com/thread.jspa?messageID=632472&#632472

Related[edit]

• SAML response
• Attributes
• https://aws.amazon.com/SAML/Attributes/Role

See also[edit]

• SAML, IdP, AWS SAML, AWS IAM, AWS SAML endpoint, SAML:EduPersonOrgDN, SAML Role Attribute, assume-role-with-saml
• SAML, IdP, Assertion, Attribute, SCIM, Amazon Cognito, OpenID Connect (OIDC), SAML response, SAML:EduPersonOrgDN, Assertion Consumer Service (ACS), SAML examples, Entity ID, Name ID, SAMLResponse, saml-provider