0
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

IAM Identity Center - Microsoft Entra ID の SAML について

Last updated at Posted at 2024-04-08

IAM Identity Center において外部 ID プロバイダーの Microsoft Entra ID を選択し SAML 認証がどのように機能するかまとめ

■構築手順の概要 (※1)

  1. Microsoft Entra ID で AWS IAM Identity Center のエンタープライズアプリケーション、ユーザーを作成
  2. IAM Identity Cente で許可セットや 1. で作成したユーザーに対応するユーザーを作成、許可セットをユーザーへ割り当て
  3. Microsoft Entra ID の AWS IAM Identity Center エンタープライズアプリケーションと IAM アイデンティティセンターの外部 IdP 設定を使用して SAML 接続を設定
  4. SCIM v2.0 プロトコルを使用して Microsoft Entra ID から IAM アイデンティティセンターへのユーザー情報の自動プロビジョニング (同期) を設定 ※3

重要 : ユーザー作成時、プロパティで [名]、[姓] に適当な値を入力する必要があります。無いと自動プロビジョニングを実行する時に失敗します。※2

ドキュメントはこちら
※1 Microsoft Entra ID および IAM アイデンティティセンターによる SAML と SCIM の設定
https://docs.aws.amazon.com/ja_jp/singlesignon/latest/userguide/idp-microsoft-entra.html

※2 自動プロビジョニングを使用する際の注意事項
https://docs.aws.amazon.com/ja_jp/singlesignon/latest/userguide/provision-automatically.html#auto-provisioning-considerations

※3 Microsoft Entra ID および IAM アイデンティティセンターによる SAML と SCIM の設定
https://docs.aws.amazon.com/ja_jp/singlesignon/latest/userguide/other-idps.html

IAM Identity Center - Microsoft Entra ID の SAML認証リクエストの中身

■SAML リクエスト

SamlRequest.xml
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://ap-northeast-1.signin.aws.amazon.com/platform/saml/acs/xxxxxxxxxxxxxxxxxx" Destination="https://login.microsoftonline.com/xxxxxxxxxxxxx/saml2" ID="aws_xxxxxxxxxxxx" IssueInstant="yyyy-mm-ddT11:11:11.111Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://ap-northeast-1.signin.aws.amazon.com/platform/saml/[ID ストア ID]</saml2:Issuer>
  <saml2p:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
</saml2p:AuthnRequest>

■SAML レスポンス例

SamlResponse.xml
<samlp:Response ID="xxxxxxxxxxxxxxxxxxxxxxx" Version="2.0" IssueInstant="yyyy-mm-ddT11:11:11.111" Destination="https://ap-northeast-1.signin.aws.amazon.com/platform/saml/acs/xxxxxxxxxxxxxxxxxxxxxxx" InResponseTo="aws_xxxxxxxxxxxxxxxxxxxxxxx" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/8dc60039-d6d8-45a2-9eee-d625d864f53a/</Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
  </samlp:Status>
  <Assertion ID="_xxxxxxxxxxxxxxxxxxxxxxx" IssueInstant="yyyy-mm-ddT11:11:11.111Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <Issuer>https://sts.windows.net/xxxxxxxxxxxxxxxxxxxxxxxa/</Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
      <SignedInfo>
        <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
        <Reference URI="#_xxxxxxxxxxxxxxxxxxxxxxx">
          <Transforms>
            <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
          </Transforms>
          <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
          <DigestValue>xxxxxxxxxxxxxxxxxxxxxxx</DigestValue>
        </Reference>
      </SignedInfo>
      <SignatureValue>xxxxxxxxxxxxxxxxxxxxxxxx</SignatureValue>
      <KeyInfo>
        <X509Data>
          <X509Certificate>xxxxxxxxxxxxxxxxxxxxxxx</X509Certificate>
        </X509Data>
      </KeyInfo>
    </Signature>
    <Subject>
      <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">meisei@hogehoge.onmicrosoft.com</NameID>
      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <SubjectConfirmationData InResponseTo="aws_xxxxxxxxxxxxxxxx" NotOnOrAfter="yyyy-mm-ddT22:22:22.222" Recipient="https://ap-northeast-1.signin.aws.amazon.com/platform/saml/acs/xxxxxxxxxxxxxxxxxx" />
      </SubjectConfirmation>
    </Subject>
    <Conditions NotBefore="yyyy-mm-ddT11:11:11.111Z" NotOnOrAfter="yyyy-mm-ddT22:22:22.222Z">
      <AudienceRestriction>
        <Audience>https://ap-northeast-1.signin.aws.amazon.com/platform/saml/d[ID ストア ID]</Audience>
      </AudienceRestriction>
    </Conditions>
    <AttributeStatement>
      <Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
        <AttributeValue>xxxxxxxxxxxxx</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
        <AttributeValue>xxxxxxxxxxxxxxxxxxxxxxx</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
        <AttributeValue>meisei</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
        <AttributeValue>https://sts.windows.net/8dc60039-d6d8-45a2-9eee-d625d864f53a/</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
        <AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
        <AttributeValue>mei</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
        <AttributeValue>sei</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
        <AttributeValue>meisei@hogehoge.onmicrosoft.com</AttributeValue>
      </Attribute>
    </AttributeStatement>
    <AuthnStatement AuthnInstant="yyyy-mm-ddT11:11:11.111Z" SessionIndex="_xxxxxxxxxxx0">
      <AuthnContext>
        <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
      </AuthnContext>
    </AuthnStatement>
  </Assertion>
</samlp:Response>
0
1
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
0
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?