Layer7 Access Management

Integrating Alicloud with CA SSO Federation

  • 1.  Integrating Alicloud with CA SSO Federation

    Posted 04-29-2019 12:11 PM

    Hi All,

     

    I am trying to integrate Alicloud with CA Federation. The integration is similar to AWS and we are required to pass the below attribute as part of assertion:

    https://www.alibabacloud.com/SAML-Role/Attributes/Role

    I am stuck with the issue in case a user has multiple roles.Please note the roles in Alicloud are required to be passed in the below format:

    <Attribute Name="https://www.aliyun.com/SAML-Role/Attributes/Role"> <AttributeValue>acs:ram::$account_id:role/role1,acs:ram::$account_id:saml-provider/provider1</AttributeValue> <AttributeValue>acs:ram::$account_id:role/role2,acs:ram::$account_id:saml-provider/provider1</AttributeValue> </Attribute>

    To achieve this, tried multiple ways to form a expression in attribute mapping associated with the user directory but none of it works. The main challenge is concatenation of these static strings to the roles. I have managed to filter out the roles but adding the before and after strings is not working. As of now, I am using the below expression followed by FMATTR:Virtual Attribute Name as value in the federation patnership to the role attribute.

     

    "acs:ram::***************:role/" + Filter(ENUMERATE(GET('FMATTR:memberOf'),String(RDN(STRING(%0),FALSE))),'ABC*') + ",acs:ram::***************:saml-provider/test-sp1"

     

    The above does not work and is good only when the user has single role assigned.

    Any help is much appreciated.

     

    Regards,

    Aishwarya