Active Directory資産を活用したAWS API認証

この記事は公開されてから1年以上経過しています。情報が古い可能性がありますので、ご注意ください。

はじめに

藤本です。

Active Directory資産活用シリーズです。
過去に2回、オンプレミスにあるActive Directory資産を活用したManagement Consoleへシングルサインオンする方法をご紹介しました。

第一回 : Active Directory資産を活用したAWS Management ConsoleへのSSO
第二回 : Active Directory資産を活用したAWS Management ConsoleへのSSO(AD Connector編)

AWSを利用する時、Management ConsoleからのGUI操作だけでよいでしょうか?そうですよね。API操作もしたいですよね。

ということで今回はActive Directoryでユーザー認証し、API操作する方法をご紹介します。

概要

AWSにAPIを発行する時の認証方法は大きく以下の2パターンがあります。

  • AccessKeyId + SecretAccessKey
  • AccessKeyId + SecretAccessKey + SecurityToken

前者は永続的なキーとなり、後者は一時的なキーとなります。今回の方法は後者となり、ADFSから発行されたSAML ResponseをSTSに渡すことで、一時的な認証情報(AccessKeyId、SecretAccessKey、SecurityToken)を受け取ることができます。

以下のような流れとなります。

  1. Client -> ADFS (ユーザー認証リクエスト)
  2. ADFS -> AD (ユーザー認証)
  3. AD -> ADFS (認証結果)
  4. ADFS -> Client (SAML Response)
  5. Client -> STS Endpoint (SAML ResponseでAssumeRole)
  6. STS Endpoint -> Client (Temporary Security Credential)
  7. ClientからのAPI発行!!

環境

接続元 : オンプレミス(自宅)

  • AD
    OS : Windows Server 2012R2
    ミドルウェア : Active Directory ドメインサービス、DNSサーバー
    ADドメイン : fujimoto-home.local
    利用するADアカウント : sfujimoto (所属グループ : AWS-developer、メールアドレス : sfujimoto@fujimoto-home.local)

  • ADFS
    OS : Windows Server 2012R2
    ミドルウェア : Active Directory Federation Services

やってみた

設定

ADFS、AWSのSAML認証の設定は過去のエントリをご参照ください。

Active Directory資産を活用したAWS Management ConsoleへのSSO

SAML Response発行

ADFSに対してHTTPリクエストを発行することでSAML Responseを発行することができます。inputタグのValueがSAML ResponseがBase64エンコードされた値となります。AWSにはこのまま引き渡すのでコピーしてください。

# curl -ks -c cookies.txt -d 'Username=<USERNAME>@<DOMAIN>&Password=<PASSWORD>&AuthMethod=FormsAuthentication' -X POST "https://<ADFS FQDN>/adfs/ls/idpinitiatedsignon/?loginToRp=urn:amazon:webservices"
# curl -ks -L -c cookies.txt -b cookies.txt -X GET "https://<ADFS FQDN>/adfs/ls/idpinitiatedsignon/?loginToRp=urn:amazon:webservices"
<html><head><title>処理中...</title></head><body><form method="POST" name="hiddenform" action="https://signin.aws.amazon.com:443/saml"><input type="hidden" name="SAMLResponse" value="PHNhbWxwOlJlc3BvbnNlIElEPSJfNjQ3Y2QzZmUtMjE4OC00MWY3LTgyY2ItYTU3YmFiNmI5NTU5IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNS0wOS0yNFQxNDoyODowOS43OTlaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9zaWduaW4uYXdzLmFtYXpvbi5jb20vc2FtbCIgQ29uc2VudD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNvbnNlbnQ6dW5zcGVjaWZpZWQiIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxJc3N1ZXIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly9hZGZzLmZ1amltb3RvLWhvbWUubG9jYWwvYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIgLz48L3NhbWxwOlN0YXR1cz48QXNzZXJ0aW9uIElEPSJfNmJkMjNiMzQtMDcwNy00NjM4LWIxYjYtOGZkMmY4NGQ1NWIzIiBJc3N1ZUluc3RhbnQ9IjIwMTUtMDktMjRUMTQ6Mjg6MDkuNzk5WiIgVmVyc2lvbj0iMi4wIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PElzc3Vlcj5odHRwOi8vYWRmcy5mdWppbW90by1ob21lLmxvY2FsL2FkZnMvc2VydmljZXMvdHJ1c3Q8L0lzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIgLz48ZHM6UmVmZXJlbmNlIFVSST0iI182YmQyM2IzNC0wNzA3LTQ2MzgtYjFiNi04ZmQyZjg0ZDU1YjMiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIgLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2IiAvPjxkczpEaWdlc3RWYWx1ZT5rZmp5bk5QalpYR2hoODRlQkJRaDA2YVdESnBvN3BkakFJaXJONkU2N3M0PTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5TZjQrbm01elZ2OEtNUGFKdzlZM01oWDNyUldSRHBVa1RIWlRWNmwyMGRuaHpOWXJ0czNIeVM3S213Mmlod2RkWDExMklLRlRRTVovSHJaaExka0tOSW1aTlFDckpEdVk0TUdRd0V0L2tFM0taejZJUDR1U0xsS2JLb1VlNjMrNG9JSlFNdk1ucmUweDQva2h2clpGemZQMnIrSGRPaDdKQkFudGJPNmtaRWVLWmovSDZrQk1wNDJqM2hwQTRXMFVBdER0WWtBWXZRbDNudWlUNE92Wkk4UXNDYnJSWjNvZFMxa0dxQkxsV2FiWXVoQ0x0M01GMExkUTJlVHhBcDRPUmpUT2hrcGJiQTI2WC8vdlVPZnRLbHZRNEZTdzhNWmo4RGx2UXpqVlpvejBFd0NFNTcvVUZXUEw4dmpwQnFIdUcvRHpxVjVubXE0bXZKbkdJWXZrWHc9PTwvZHM6U2lnbmF0dXJlVmFsdWU+PEtleUluZm8geG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUM3RENDQWRTZ0F3SUJBZ0lRVnhDUWVGNXh6b0ZHTzBMbzc3OXNkakFOQmdrcWhraUc5dzBCQVFzRkFEQXlNVEF3TGdZRFZRUURFeWRCUkVaVElGTnBaMjVwYm1jZ0xTQmhaR1p6TG1aMWFtbHRiM1J2TFdodmJXVXViRzlqWVd3d0hoY05NVFV3T0RFNU1UVXhNak0xV2hjTk1UWXdPREU0TVRVeE1qTTFXakF5TVRBd0xnWURWUVFERXlkQlJFWlRJRk5wWjI1cGJtY2dMU0JoWkdaekxtWjFhbWx0YjNSdkxXaHZiV1V1Ykc5allXd3dnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDe000000000000000000000000000000000oRUNWTGY0K2RPWC9ZSVNtbTBNTURxbVhFNTFNZm1TQzI5aWN3Z2s4SFIxZDRKSFZHZk0zT1krRWhwRkVtUysyZFlvcDQyQXBHbHlnY1ZsNUZzUVRKWW9ZYmg2dXZEMmcwM1dSQUdFbS9wSHRzQWJoMDlwbisvZ0pxeWVWZUNNRzRoY2h3Kzd3WUR2TW1mOTkrZElPbVFlcHVuMTVTU1d1WjdiYTl5WnRQNzhmamhncFJDNERJVVFxQmpnVDlMbjZuM2Y0blpUMTNFcUdwcFYzaHdHZHpnb2NNVlZqTklXZFZGa2gxSkIzSlhKTEt6MFJZbHB5VEwzcDZVQ2RzY3VnQ2p1NjlURy9zR3h1SnBsVnVqMXQrb3owcmluWEdNOGNZdWhTdVkveEdMd0ZmOXczQnExaFF4MTdBZ01CQUFFd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDQWN4M0JabUFtQ3BFd29qVWJNbXZONXJkT3dWMEhQSXhQMVV1amdQNDZMV2tsLzdBbVV3aUFpK0xUZXNmVHE3UTViT0pkcEp6YkMydXN6UkNnODFiR0JaSmZSSU9mZnU2amZ1WEovT1A0Yllsc1B5VHV6TzR3TnhhcWlMTXFRRklWOGNiWXVCVUhFTldMVUhmTEdBdWowdzF5M2NUdUdzQ3FWNk1FdFkrMmlUWkNPRUZNcnc0V25VRlNPSDJ5SGpNOFdXZEhycFhQMytxWVk0bU9IaUt5MFJzQUZLelVSUlAxVk9FREpFWHkycE9xWkZ6QXAxUHg4ZGhFTW53VWczVExJOVVQbmR4ZlZzM0FmeEpZSXpjcTAyZlY0R05MQTlQby9hNmVzck5DbzJrTWJQZUFyVVdnVjVGL2g5SVZjVTV4c2lMWkVnSEpPcVFmdW9sZ2V5a2M9PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L0tleUluZm8+PC9kczpTaWduYXR1cmU+PFN1YmplY3Q+PE5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnBlcnNpc3RlbnQiPkZVSklNT1RPLUhPTUVcc2Z1amltb3RvPC9OYW1lSUQ+PFN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDE1LTA5LTI0VDE0OjMzOjA5Ljc5OVoiIFJlY2lwaWVudD0iaHR0cHM6Ly9zaWd000000000000000000000000000lY3RDb25maXJtYXRpb24+PC9TdWJqZWN0PjxDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNS0wOS0yNFQxNDoyODowOS43OTlaIiBOb3RPbk9yQWZ0ZXI9IjIwMTUtMDktMjRUMTU6Mjg6MDkuNzk5WiI+PEF1ZGllbmNlUmVzdHJpY3Rpb24+PEF1ZGllbmNlPnVybjphbWF6b246d2Vic2VydmljZXM8L0F1ZGllbmNlPjwvQXVkaWVuY2VSZXN0cmljdGlvbj48L0NvbmRpdGlvbnM+PEF0dHJpYnV0ZVN0YXRlbWVudD48QXR0cmlidXRlIE5hbWU9Imh0dHBzOi8vYXdzLmFtYXpvbi5jb20vU0FNTC9BdHRyaWJ1dGVzL1JvbGVTZXNzaW9uTmFtZAI+PEF0dHJpYnV0ZVZhbHVlPnNmdWppbW90b0BmdWppbW90by1ob21lLmxvY2FsPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48QXR0cmlidXRlIE5hbWU9Imh0dHBzOi8vYXdzLmFtYXpvbi5jb20vU0FNTC9BdHRyaWJ1dGVzL1JvbGUiPjxBdHRyaWJ1dGVWYWx1ZT5hcm46YXdzOmlh3To6MjkwNTM2NDg0NzcxOnNhbWwtcHJvdmlkZXIvZnVqaW1vdG8taG9tZSwgYXJuOmF3czppYW06OjI5MDUzNjQ4NDc3MTpyb2xlL0FERlMtZGV2ZWxvcGVyPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48L0F0dHJpYnV0ZVN0YXRlbWVudD43QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE1LTA5LTI0VDE0OjI3OjU4Ljc4M1oiIFNlc3Npb25JbmRleD0iXzZiZDIzYjM0LTA3MDctNDYzOC1iMWI2LThmZDJmODRkNTViMyI+PEF1dGhuQ29udGV4dD48QXV0aG1Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQ8L0F1dGhuQ29udGV4dENsYXNzUmVmPjwvQXV0aG5Db250ZXh0PjwvQXV0aG5TdGF0ZW1lbnQ+PC9Bc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4=" /><noscript><p>スクリプトが無効です。続けるには、[送信] をクリックしてください。</p><input type="submit" value="Submit" /></noscript></form><script language="javascript">window.setTimeout('document.forms[0].submit()', 0);</script></body></html>

もちろんbase64ですのでデコードすることが可能です。

# echo "PHNhbWxwOlJlc3BvbnNlIElEPSJfNjQ3Y2QzZmUtMjE4OC00MWY3LTgyY2ItYTU3YmFiNmI5NTU5IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNS0wOS0yNFQxNDoyODowOS43OTlaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9zaWduaW4uYXdzLmFtYXpvbi5jb20vc2FtbCIgQ29uc2VudD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNvbnNlbnQ6dW5zcGVjaWZpZWQiIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxJc3N1ZXIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly9hZGZzLmZ1amltb3RvLWhvbWUubG9jYWwvYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIgLz48L3NhbWxwOlN0YXR1cz48QXNzZXJ0aW9uIElEPSJfNmJkMjNiMzQtMDcwNy00NjM4LWIxYjYtOGZkMmY4NGQ1NWIzIiBJc3N1ZUluc3RhbnQ9IjIwMTUtMDktMjRUMTQ6Mjg6MDkuNzk5WiIgVmVyc2lvbj0iMi4wIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PElzc3Vlcj5odHRwOi8vYWRmcy5mdWppbW90by1ob21lLmxvY2FsL2FkZnMvc2VydmljZXMvdHJ1c3Q8L0lzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIgLz48ZHM6UmVmZXJlbmNlIFVSST0iI182YmQyM2IzNC0wNzA3LTQ2MzgtYjFiNi04ZmQyZjg0ZDU1YjMiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIgLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2IiAvPjxkczpEaWdlc3RWYWx1ZT5rZmp5bk5QalpYR2hoODRlQkJRaDA2YVdESnBvN3BkakFJaXJONkU2N3M0PTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5TZjQrbm01elZ2OEtNUGFKdzlZM01oWDNyUldSRHBVa1RIWlRWNmwyMGRuaHpOWXJ0czNIeVM3S213Mmlod2RkWDExMklLRlRRTVovSHJaaExka0tOSW1aTlFDckpEdVk0TUdRd0V0L2tFM0taejZJUDR1U0xsS2JLb1VlNjMrNG9JSlFNdk1ucmUweDQva2h2clpGemZQMnIrSGRPaDdKQkFudGJPNmtaRWVLWmovSDZrQk1wNDJqM2hwQTRXMFVBdER0WWtBWXZRbDNudWlUNE92Wkk4UXNDYnJSWjNvZFMxa0dxQkxsV2FiWXVoQ0x0M01GMExkUTJlVHhBcDRPUmpUT2hrcGJiQTI2WC8vdlVPZnRLbHZRNEZTdzhNWmo4RGx2UXpqVlpvejBFd0NFNTcvVUZXUEw4dmpwQnFIdUcvRHpxVjVubXE0bXZKbkdJWXZrWHc9PTwvZHM6U2lnbmF0dXJlVmFsdWU+PEtleUluZm8geG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUM3RENDQWRTZ0F3SUJBZ0lRVnhDUWVGNXh6b0ZHTzBMbzc3OXNkakFOQmdrcWhraUc5dzBCQVFzRkFEQXlNVEF3TGdZRFZRUURFeWRCUkVaVElGTnBaMjVwYm1jZ0xTQmhaR1p6TG1aMWFtbHRiM1J2TFdodmJXVXViRzlqWVd3d0hoY05NVFV3T0RFNU1UVXhNak0xV2hjTk1UWXdPREU0TVRVeE1qTTFXakF5TVRBd0xnWURWUVFERXlkQlJFWlRJRk5wWjI1cGJtY2dMU0JoWkdaekxtWjFhbWx0YjNSdkxXaHZiV1V1Ykc5allXd3dnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDe000000000000000000000000000000000oRUNWTGY0K2RPWC9ZSVNtbTBNTURxbVhFNTFNZm1TQzI5aWN3Z2s4SFIxZDRKSFZHZk0zT1krRWhwRkVtUysyZFlvcDQyQXBHbHlnY1ZsNUZzUVRKWW9ZYmg2dXZEMmcwM1dSQUdFbS9wSHRzQWJoMDlwbisvZ0pxeWVWZUNNRzRoY2h3Kzd3WUR2TW1mOTkrZElPbVFlcHVuMTVTU1d1WjdiYTl5WnRQNzhmamhncFJDNERJVVFxQmpnVDlMbjZuM2Y0blpUMTNFcUdwcFYzaHdHZHpnb2NNVlZqTklXZFZGa2gxSkIzSlhKTEt6MFJZbHB5VEwzcDZVQ2RzY3VnQ2p1NjlURy9zR3h1SnBsVnVqMXQrb3owcmluWEdNOGNZdWhTdVkveEdMd0ZmOXczQnExaFF4MTdBZ01CQUFFd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDQWN4M0JabUFtQ3BFd29qVWJNbXZONXJkT3dWMEhQSXhQMVV1amdQNDZMV2tsLzdBbVV3aUFpK0xUZXNmVHE3UTViT0pkcEp6YkMydXN6UkNnODFiR0JaSmZSSU9mZnU2amZ1WEovT1A0Yllsc1B5VHV6TzR3TnhhcWlMTXFRRklWOGNiWXVCVUhFTldMVUhmTEdBdWowdzF5M2NUdUdzQ3FWNk1FdFkrMmlUWkNPRUZNcnc0V25VRlNPSDJ5SGpNOFdXZEhycFhQMytxWVk0bU9IaUt5MFJzQUZLelVSUlAxVk9FREpFWHkycE9xWkZ6QXAxUHg4ZGhFTW53VWczVExJOVVQbmR4ZlZzM0FmeEpZSXpjcTAyZlY0R05MQTlQby9hNmVzck5DbzJrTWJQZUFyVVdnVjVGL2g5SVZjVTV4c2lMWkVnSEpPcVFmdW9sZ2V5a2M9PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L0tleUluZm8+PC9kczpTaWduYXR1cmU+PFN1YmplY3Q+PE5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnBlcnNpc3RlbnQiPkZVSklNT1RPLUhPTUVcc2Z1amltb3RvPC9OYW1lSUQ+PFN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDE1LTA5LTI0VDE0OjMzOjA5Ljc5OVoiIFJlY2lwaWVudD0iaHR0cHM6Ly9zaWd000000000000000000000000000lY3RDb25maXJtYXRpb24+PC9TdWJqZWN0PjxDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNS0wOS0yNFQxNDoyODowOS43OTlaIiBOb3RPbk9yQWZ0ZXI9IjIwMTUtMDktMjRUMTU6Mjg6MDkuNzk5WiI+PEF1ZGllbmNlUmVzdHJpY3Rpb24+PEF1ZGllbmNlPnVybjphbWF6b246d2Vic2VydmljZXM8L0F1ZGllbmNlPjwvQXVkaWVuY2VSZXN0cmljdGlvbj48L0NvbmRpdGlvbnM+PEF0dHJpYnV0ZVN0YXRlbWVudD48QXR0cmlidXRlIE5hbWU9Imh0dHBzOi8vYXdzLmFtYXpvbi5jb20vU0FNTC9BdHRyaWJ1dGVzL1JvbGVTZXNzaW9uTmFtZAI+PEF0dHJpYnV0ZVZhbHVlPnNmdWppbW90b0BmdWppbW90by1ob21lLmxvY2FsPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48QXR0cmlidXRlIE5hbWU9Imh0dHBzOi8vYXdzLmFtYXpvbi5jb20vU0FNTC9BdHRyaWJ1dGVzL1JvbGUiPjxBdHRyaWJ1dGVWYWx1ZT5hcm46YXdzOmlh3To6MjkwNTM2NDg0NzcxOnNhbWwtcHJvdmlkZXIvZnVqaW1vdG8taG9tZSwgYXJuOmF3czppYW06OjI5MDUzNjQ4NDc3MTpyb2xlL0FERlMtZGV2ZWxvcGVyPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48L0F0dHJpYnV0ZVN0YXRlbWVudD43QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE1LTA5LTI0VDE0OjI3OjU4Ljc4M1oiIFNlc3Npb25JbmRleD0iXzZiZDIzYjM0LTA3MDctNDYzOC1iMWI2LThmZDJmODRkNTViMyI+PEF1dGhuQ29udGV4dD48QXV0aG1Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQ8L0F1dGhuQ29udGV4dENsYXNzUmVmPjwvQXV0aG5Db250ZXh0PjwvQXV0aG5TdGF0ZW1lbnQ+PC9Bc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4=" |base64 -D
<samlp:Response ID="_647cd3fe-2188-41f7-82cb-a57bab6b9559" Version="2.0" IssueInstant="2015-09-24T14:28:09.799Z" Destination="https://signin.aws.amazon.com/saml" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://<ADFS FQDN>/adfs/services/trust</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion ID="_6bd23b34-0707-4638-b1b6-8fd2f84d55b3" IssueInstant="2015-09-24T14:28:09.799Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>http://<ADFS FQDN>/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_6bd21b34-0707-4332-b1b6-8fd2f84d55b3"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>kfjynNPjZXGhh84eBBQh06aWDJpo7pdjAIirN6E67s4=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Sf4+nm5zVv8KMPaJw9Y3MhX3rRWRDpUkTHZTV6l20dnhzNYrts3HyS7Kmw2ihwddX112IdFTQMZ/HrZhLdkKNImZNQCrJDuY4MGQwEt/kE3KZz6IP4uSLlKbKoUe63+4oIJQMvMnre0x4/khvrZFzfP2r+HdOh7JBAntbO6kZEeKZj/H6kBMp42j3hpA4W0UAtDtYkAsvQl3nuiT4OvZI8QsCbrRZ3odS1kGqBLlWabYuhCLt3MF0LdQ2eTxAp4ORjTOhkpbbA26X//vUOftKlvQ4FSw8MZj8DlvQzjVZoz0EwCE57/UFWPL8vjpBqHuG/DzqV5nmq4mvJnGIYvkXw==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIC7DCCAdSgAwIBAgIQVxCQeF5xzoFGO0Lo779sdjANBgkqhkiG9w0BAQsFADAyMTAwLgYDVQQDEydBREZTIFNpZ25pbmcgLSBhZGZzLmZ1amltb3RvLWhvbWUubG9jYWwwHhcNMTUwODE5MTUxMjM1WhcNMTYwODE4MTUxMjM1WjAyMTAwLgYDVQQDEydBREZTIFNpZ25pbmcgLSBhZGZzLmZ1amltb3RvLWhvbWUubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxJoAv3zKf3erfpzbuBsnmlj223OxHhECVLf4+dOX/YISmm0MMDqmXE51MfmSC29icwgk8HR1d4JHVGfM3OY+EhpFEmS+2dYop42ApGlygcVl5FsQTJYoYbh6uvD2g03WRAGEm/pHtsAbh09pn+/gJqyeVeCMG4hchw+7wYDvMmf99+dIOmQepun15SSWuZaba9yZtP78fjhgpRC4DIUQqBjgT9Ln6n3f4nZT13EqGppV3hwGdzgocMVVjNIWdVFkh1JB3JXJLKz0RYlpyTL3p6UCdscugCju69TG/sGxuJplVuj1t+oz0rinXGM8cYuhSuY/xGLwFf9w3Bq1hQx17AaMBAAEwDQYJKoZIhvcNAQELBQADggEBACAcx3BZmAmCpEwojUbMmvN5rdOwV0HPIxP1UujgP46LWkl/7AmUgiAi+LTesfTq7Q5bOJdpJzbC2uszRCg81bGBZJfRIOffu6jfuXJ/OP4bYlsPyTuzO4wNxaqiLMqQFIV8cbYuBUHENWLUHfLGAuj0w1y3cTuGsCqV6MEtY+2iTZCOEFMrw4WnUFSOH2yHjM8WWdHrpXP3+qYY4mOHiKy0RsAFKzURRP1VOEDJEXy2pOqZFzAp1Px8dhEMnwUg3TLI9UPndxfVs3AfxJYIzcq02fV4GNLA9Po/a6esrNCo2kMbPeArUWgV5F/h9IVcU5xsiLZEgHJOqQfuolgeykc=</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">FUJIMOTO-HOME\sfujimoto</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData NotOnOrAfter="2015-09-24T14:33:09.799Z" Recipient="https://signin.aws.amazon.com/saml" /></SubjectConfirmation></Subject><Conditions NotBefore="2015-09-24T14:28:09.799Z" NotOnOrAfter="2015-09-24T15:28:09.799Z"><AudienceRestriction><Audience>urn:amazon:webservices</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName"><AttributeValue>sfujimoto@fujimoto-home.local</AttributeValue></Attribute><Attribute Name="https://aws.amazon.com/SAML/Attributes/Role"><AttributeValue>arn:aws:iam::000000000000:saml-provider/fujimoto-home, arn:aws:iam::000000000000:role/ADFS-developer</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2015-09-24T14:27:58.783Z" SessionIndex="_6bd23b34-0707-4638-b1b6-8fd2f84d55b3"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>

このようにSAML ResponseはAssertion IDやClaim Ruleの結果が含まれます。

一時的な認証情報発行

AWS STS APIのAssumeRoleWithSamlを利用して、一時的な認証情報を発行します。
オプションにRoleARN、SAMLProviderARN、SAML Responseを与えます。

# aws sts assume-role-with-saml --role-arn arn:aws:iam::000000000000:role/ADFS-developer --principal-arn arn:aws:iam::000000000000:saml-provider/fujimoto-home --saml-assertion "PHNhbWxwOlJlc3BvbnNlIElEPSJfNjQ3Y2QzZmUtMjE4OC00MWY3LTgyY2ItYTU3YmFiNmI5NTU5IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNS0wOS0yNFQxNDoyODowOS43OTlaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9zaWduaW4uYXdzLmFtYXpvbi5jb20vc2FtbCIgQ29uc2VudD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNvbnNlbnQ6dW5zcGVjaWZpZWQiIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxJc3N1ZXIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly9hZGZzLmZ1amltb3RvLWhvbWUubG9jYWwvYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIgLz48L3NhbWxwOlN0YXR1cz48QXNzZXJ0aW9uIElEPSJfNmJkMjNiMzQtMDcwNy00NjM4LWIxYjYtOGZkMmY4NGQ1NWIzIiBJc3N1ZUluc3RhbnQ9IjIwMTUtMDktMjRUMTQ6Mjg6MDkuNzk5WiIgVmVyc2lvbj0iMi4wIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PElzc3Vlcj5odHRwOi8vYWRmcy5mdWppbW90by1ob21lLmxvY2FsL2FkZnMvc2VydmljZXMvdHJ1c3Q8L0lzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIgLz48ZHM6UmVmZXJlbmNlIFVSST0iI182YmQyM2IzNC0wNzA3LTQ2MzgtYjFiNi04ZmQyZjg0ZDU1YjMiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIgLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2IiAvPjxkczpEaWdlc3RWYWx1ZT5rZmp5bk5QalpYR2hoODRlQkJRaDA2YVdESnBvN3BkakFJaXJONkU2N3M0PTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5TZjQrbm01elZ2OEtNUGFKdzlZM01oWDNyUldSRHBVa1RIWlRWNmwyMGRuaHpOWXJ0czNIeVM3S213Mmlod2RkWDExMklLRlRRTVovSHJaaExka0tOSW1aTlFDckpEdVk0TUdRd0V0L2tFM0taejZJUDR1U0xsS2JLb1VlNjMrNG9JSlFNdk1ucmUweDQva2h2clpGemZQMnIrSGRPaDdKQkFudGJPNmtaRWVLWmovSDZrQk1wNDJqM2hwQTRXMFVBdER0WWtBWXZRbDNudWlUNE92Wkk4UXNDYnJSWjNvZFMxa0dxQkxsV2FiWXVoQ0x0M01GMExkUTJlVHhBcDRPUmpUT2hrcGJiQTI2WC8vdlVPZnRLbHZRNEZTdzhNWmo4RGx2UXpqVlpvejBFd0NFNTcvVUZXUEw4dmpwQnFIdUcvRHpxVjVubXE0bXZKbkdJWXZrWHc9PTwvZHM6U2lnbmF0dXJlVmFsdWU+PEtleUluZm8geG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUM3RENDQWRTZ0F3SUJBZ0lRVnhDUWVGNXh6b0ZHTzBMbzc3OXNkakFOQmdrcWhraUc5dzBCQVFzRkFEQXlNVEF3TGdZRFZRUURFeWRCUkVaVElGTnBaMjVwYm1jZ0xTQmhaR1p6TG1aMWFtbHRiM1J2TFdodmJXVXViRzlqWVd3d0hoY05NVFV3T0RFNU1UVXhNak0xV2hjTk1UWXdPREU0TVRVeE1qTTFXakF5TVRBd0xnWURWUVFERXlkQlJFWlRJRk5wWjI1cGJtY2dMU0JoWkdaekxtWjFhbWx0YjNSdkxXaHZiV1V1Ykc5allXd3dnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDe000000000000000000000000000000000oRUNWTGY0K2RPWC9ZSVNtbTBNTURxbVhFNTFNZm1TQzI5aWN3Z2s4SFIxZDRKSFZHZk0zT1krRWhwRkVtUysyZFlvcDQyQXBHbHlnY1ZsNUZzUVRKWW9ZYmg2dXZEMmcwM1dSQUdFbS9wSHRzQWJoMDlwbisvZ0pxeWVWZUNNRzRoY2h3Kzd3WUR2TW1mOTkrZElPbVFlcHVuMTVTU1d1WjdiYTl5WnRQNzhmamhncFJDNERJVVFxQmpnVDlMbjZuM2Y0blpUMTNFcUdwcFYzaHdHZHpnb2NNVlZqTklXZFZGa2gxSkIzSlhKTEt6MFJZbHB5VEwzcDZVQ2RzY3VnQ2p1NjlURy9zR3h1SnBsVnVqMXQrb3owcmluWEdNOGNZdWhTdVkveEdMd0ZmOXczQnExaFF4MTdBZ01CQUFFd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDQWN4M0JabUFtQ3BFd29qVWJNbXZONXJkT3dWMEhQSXhQMVV1amdQNDZMV2tsLzdBbVV3aUFpK0xUZXNmVHE3UTViT0pkcEp6YkMydXN6UkNnODFiR0JaSmZSSU9mZnU2amZ1WEovT1A0Yllsc1B5VHV6TzR3TnhhcWlMTXFRRklWOGNiWXVCVUhFTldMVUhmTEdBdWowdzF5M2NUdUdzQ3FWNk1FdFkrMmlUWkNPRUZNcnc0V25VRlNPSDJ5SGpNOFdXZEhycFhQMytxWVk0bU9IaUt5MFJzQUZLelVSUlAxVk9FREpFWHkycE9xWkZ6QXAxUHg4ZGhFTW53VWczVExJOVVQbmR4ZlZzM0FmeEpZSXpjcTAyZlY0R05MQTlQby9hNmVzck5DbzJrTWJQZUFyVVdnVjVGL2g5SVZjVTV4c2lMWkVnSEpPcVFmdW9sZ2V5a2M9PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L0tleUluZm8+PC9kczpTaWduYXR1cmU+PFN1YmplY3Q+PE5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnBlcnNpc3RlbnQiPkZVSklNT1RPLUhPTUVcc2Z1amltb3RvPC9OYW1lSUQ+PFN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDE1LTA5LTI0VDE0OjMzOjA5Ljc5OVoiIFJlY2lwaWVudD0iaHR0cHM6Ly9zaWd000000000000000000000000000lY3RDb25maXJtYXRpb24+PC9TdWJqZWN0PjxDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNS0wOS0yNFQxNDoyODowOS43OTlaIiBOb3RPbk9yQWZ0ZXI9IjIwMTUtMDktMjRUMTU6Mjg6MDkuNzk5WiI+PEF1ZGllbmNlUmVzdHJpY3Rpb24+PEF1ZGllbmNlPnVybjphbWF6b246d2Vic2VydmljZXM8L0F1ZGllbmNlPjwvQXVkaWVuY2VSZXN0cmljdGlvbj48L0NvbmRpdGlvbnM+PEF0dHJpYnV0ZVN0YXRlbWVudD48QXR0cmlidXRlIE5hbWU9Imh0dHBzOi8vYXdzLmFtYXpvbi5jb20vU0FNTC9BdHRyaWJ1dGVzL1JvbGVTZXNzaW9uTmFtZAI+PEF0dHJpYnV0ZVZhbHVlPnNmdWppbW90b0BmdWppbW90by1ob21lLmxvY2FsPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48QXR0cmlidXRlIE5hbWU9Imh0dHBzOi8vYXdzLmFtYXpvbi5jb20vU0FNTC9BdHRyaWJ1dGVzL1JvbGUiPjxBdHRyaWJ1dGVWYWx1ZT5hcm46YXdzOmlh3To6MjkwNTM2NDg0NzcxOnNhbWwtcHJvdmlkZXIvZnVqaW1vdG8taG9tZSwgYXJuOmF3czppYW06OjI5MDUzNjQ4NDc3MTpyb2xlL0FERlMtZGV2ZWxvcGVyPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48L0F0dHJpYnV0ZVN0YXRlbWVudD43QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE1LTA5LTI0VDE0OjI3OjU4Ljc4M1oiIFNlc3Npb25JbmRleD0iXzZiZDIzYjM0LTA3MDctNDYzOC1iMWI2LThmZDJmODRkNTViMyI+PEF1dGhuQ29udGV4dD48QXV0aG1Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQ8L0F1dGhuQ29udGV4dENsYXNzUmVmPjwvQXV0aG5Db250ZXh0PjwvQXV0aG5TdGF0ZW1lbnQ+PC9Bc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4="
{
    "Audience": "https://signin.aws.amazon.com/saml",
    "NameQualifier": "j8KnghRbguhf/c+FfoMsluk8ke0=",
    "AssumedRoleUser": {
        "Arn": "arn:aws:sts::00000000:assumed-role/ADFS-developer/sfujimoto@fujimoto-home.local",
        "AssumedRoleId": "AROAJ55S34ROZ6QCWKYFS:sfujimoto@fujimoto-home.local"
    },
    "Subject": "FUJIMOTO-HOME\\sfujimoto",
    "Credentials": {
        "Expiration": "2015-09-24T15:44:35Z",
        "SessionToken": "AQoDYXdzEBgagAMBsEgf5oDM+LG4prWyRUk/FNRcoWo8paEaz1wLjRZs8NALJ/6RiVUPZQW1jkhJsDe2e1cY8GsNfE645bA5dCOtW9RXGub6+2uf51w9huaO3kZXx49sH9BBuPUdGAV34dfwM7TTL4e6bJLK5Oyva6I1314xGUeEVSoPV08L977N/ft0GEnJXURAkkNhPyuY6l4L3nxv5Mi/QlLtxwNvAyzjdcbxJyO09tkAG1tl38Wtn9wrQaSU5PojxHu415tteesanrITE3IfBVO734N9CfNJ7YgQ7J7IQQ5yUX2BP31QCsqe7YWFwQ2lMMXjQIIWjgQ/0QfEwB9rxrZcP6EJrzlxq0OyDDzySPabeaz6ZjydHTPec1WsSIi/Hg1wxY5NPjqLKUXYbAegIIMI0twsHNx2GKqhu+AgOqZA24nme8iRaS/RcODKNIgs9wMyKkmtegvYQYzuQ04tVYBx1O1OlztGmrKs+x+zsgQLj6gVWLkYHPj37h/FVsPvZcB5WBDLx/wg05iQsAU=",
        "AccessKeyId": "ASIAJI2V66WANRTD5BFQ",
        "SecretAccessKey": "/VbW13iSqWgfQowWHffGAKrt7a17oT9hUVi24cyd"
    },
    "SubjectType": "persistent",
    "Issuer": "http://<ADFS FQDN>/adfs/services/trust"
}

AccessKeyId、SecretAccessKey、SessionTokenがレスポンスに含まれています。これらをCredentialに利用して、AWS APIを発行してみましょう。S3のバケットを取得してみます。

# export AWS_ACCESS_KEY_ID=ASIAJI2V66WANRTD5BFQ
# export AWS_SECRET_ACCESS_KEY=/VbW13iSqWgfQowWHffGAKrt7a17oT9hUVi24cyd
# export AWS_SESSION_TOKEN=AQoDYXdzEBgagAMBsEgf5oDM+LG4prWyRUk/FNRcoWo8paEaz1wLjRZs8NALJ/6RiVUPZQW1jkhJsDe2e1cY8GsNfE645bA5dCOtW9RXGub6+2uf51w9huaO3kZXx49sH9BBuPUdGAV34dfwM7TTL4e6bJLK5Oyva6I1314xGUeEVSoPV08L977N/ft0GEnJXURAkkNhPyuY6l4L3nxv5Mi/QlLtxwNvAyzjdcbxJyO09tkAG1tl38Wtn9wrQaSU5PojxHu415tteesanrITE3IfBVO734N9CfNJ7YgQ7J7IQQ5yUX2BP31QCsqe7YWFwQ2lMMXjQIIWjgQ/0QfEwB9rxrZcP6EJrzlxq0OyDDzySPabeaz6ZjydHTPec1WsSIi/Hg1wxY5NPjqLKUXYbAegIIMI0twsHNx2GKqhu+AgOqZA24nme8iRaS/RcODKNIgs9wMyKkmtegvYQYzuQ04tVYBx1O1OlztGmrKs+x+zsgQLj6gVWLkYHPj37h/FVsPvZcB5WBDLx/wg05iQsAU=
# export AWS_DEFAULT_REGION="ap-northeast-1"
# aws s3 ls
2015-08-28 16:45:51 cf-templates-1powceaee2ee2-ap-northeast-1

バケット情報を取得できました。一時的な認証情報の取得に成功しています。

スクリプト化

これらの認証を実施するpythonスクリプトをgistに公開しました。

実行すると以下のようになります。

# ./assume_role_for_adfs.py --adfs-fqdn adfs.fujimoto-home.local --username sfujimoto@fujimoto-home.local
sfujimoto@fujimoto-home.local's Password:
Execute following commands to set AWS credentials
-----
export AWS_ACCESS_KEY_ID=ASIAI6FEUDEHPV325XJA
export AWS_SECRET_ACCESS_KEY=FVxf8XqxnRb8snorPxu0lqQxSofjyJCOfDSw4g8P
export AWS_SESSION_TOKEN=AQoDYXdzEEEa8AIsPa6X9Uf6mOJ7X6BDeSF7CJWITEJkyo3qcTfGPUoIbSsmXwMpnsfDLCvj+O87T9D1og8hsoTXF7eR9VJDTG2BPnvN1cn0Zop/1RBuVF77QaaSituzTPBlamQpAmm72mzb0oX7MMw/fWu9B4haCkWkUJHID7vVK/8s7YbRPAu/y8P0zod4UGuSoKA4ko8DdrjS89sB89gTwr1YdotzqdeSj5yI4Nshg+JDHebI/V8M+EPsDARQs5Axl+uTGoGLl8cMiN7WGXX8Ng7p2F8bHWYnWCcOJjfkKHDvuOJT0vL5vCF9aHwgGqAnThzHFEst83CpqHyyPQzoAkBd6zuGlNbObV0O9NWrNbq6+eFBN/y36SpWN9TKjZGc63XoPjmVqmjopMLjGcri1jDWoyHtWorrFMHJbe7Q9UKK/AbMDp0PQCbZNoHcFImBSZU8yUptsWJx0LM1Mge3hU69wy+D5sh+2D9nk4bGgKv1UEf2syXpKyCCl5mwBQ==

まとめ

いかがでしたでしょうか?
Active Directoryを活用したManagement ConsoleへのSSO、一時的なAPI認証情報の取得をご紹介しました。既存の環境にActive Directoryがある組織はAWS上でIAM Roleさえ作成してしまえば、IAMユーザーを作らずともアカウント管理をActive Directoryに委任することができます。

参考情報

How to Implement Federated API and CLI Access Using SAML 2.0 and AD FS
SAML wrapper for aws cli