We have a set of services hosted in docker in AWS Fargate. One of our requirements is to support SAML2 SSO for the user. Thus, Identity provider generated SAML metadata for dev env. SAML libraries are able to read all settings from this file, so there is no need to configure SAML authentication manually. Since we are building services in docker images and would like to re-use the same image across several environments, SAML metadata cannot be included in the image. How to store this file securely in AWS and in the way to easily change it per requirement or per Identity Provider request?
I see several options here, but none is the optimal:
- Store SAML metadata in S3 bucket and encrypt it with KMS. Since SAML libraries have integration only with local file system, we will need to add some "proxy-file" reader before feed meta to the library
- Split SAML metadata file into several variables (like EntityId, login url, logout url, etc) and store them as encrypted variables in AWS SSM Parameter Store. This solution complicates configuration for both devops (for new environment) and developer (initial library configuration). Also, it will be impossible to change configuration schema in run-time.
I'm looking for the solution where SAML metadata can be securely stored in AWS and easily changed for new environments (stage, prod, etc.) with no need to rebuild initial code.