AWS API credentials with OneLogin SAML and MFA

9
votes

We want to allow our users to retrieve a set of temporary CLI credentials for a given AWS role by signing in to OneLogin with password and MFA. We have a working solution, but it requires the user to fully re-authenticate to OneLogin (including MFA) every 60 minutes as the AWS temporary credentials expire. I think that won't fly - our users are accustomed to permanent API credentials tied to a real IAM user.

Ideally, we'd like to allow users to authenticate once a day, securely cache the resulting SAML assertion, and use that to transparently refresh the AWS API credentials as needed. I'm thinking of something like aws-keychain that would use the local OS credential store to remember the SAML assertion, and only prompt the user for input when their OneLogin session has timed out.

This almost works as-is. The catch is that the SAML assertion returned by OneLogin's saml_assertion and verify_factor endpoints sets a three-minute deadline on the Subject and Conditions fields.

Is there a way to do what we want, or are we trying to route around a core SAML principle?

2
apiamazon-web-servicesauthenticationsamlonelogin
Have you managed to sort this out?Pavel Nikolov
@PavelNikolov No, we haven't. The approach I spelled out above is arguably wrong; we'd like MFA validation to be associated with establishing a user session and not with issuing a SAML assertion. Then, as long as my user session is valid, I could automatically generate a matching SAML assertion and translate that into a session token in AWS. I don't think we can accomplish this with the present OneLogin API design.Jack Foy
I don't know if it helps your use case, but STS sessions can now be made valid for up to 36 hours.Evan
@Evan It looks to me like that extension applies to sessions under GetSessionToken and GetFederationToken, but not AssumeRoleWithSAML. Thanks for the pointer, though.Jack Foy
The good news is that we don't really have to implement this thanks to AWS (finally) allowing for CLI sessions longer than an hour: aws.amazon.com/es/blogs/security/…John Offenhartz

2 Answers

1
votes

We're in the process of officially adding an option to in our official CLI tool to re-use the user credentials similarly to what you're describing.

Essentially our CLI tool has an option to reuse the user/pass in the background to continuously refresh the access info in a user profile so while the user will provide credentials once, the access info will get updated before it expires.

But unfortunately, at least at this time, there's no way to get around the MFA part if the application policy requires MFA. It'll need that MFA to refresh the credentials.

If you have to have MFA, you can always use the OneLogin MFA APIs to bake in an MFA flow into the tool...

Check it out here: https://github.com/onelogin/onelogin-aws-cli-assume-role/pull/5

0
votes

The accepted answer here is no longer true. It is now possible to authenticate the user and verify MFA once at the start of a session and then have the session refreshed on an hourly basis without having to enter further MFA tokens.

To do this you must use the --loop parameter of the CLI tool and have a corresponding App Policy in OneLogin that enables the "Skip if OTP received within last X minutes" setting.

https://developers.onelogin.com/api-docs/1/samples/aws-cli