Example usage for com.amazonaws.services.securitytoken AWSSecurityTokenServiceClient assumeRoleWithSAML

List of usage examples for com.amazonaws.services.securitytoken AWSSecurityTokenServiceClient assumeRoleWithSAML

  1. HOME
  2. Java
  3. com.amazonaws
  4. com.amazonaws.services.securitytoken.*
  5. AWSSecurityTokenServiceClient
  6. assumeRoleWithSAML

Introduction

In this page you can find the example usage for com.amazonaws.services.securitytoken AWSSecurityTokenServiceClient assumeRoleWithSAML.

Prototype

@Override
public AssumeRoleWithSAMLResult assumeRoleWithSAML(AssumeRoleWithSAMLRequest request)

Source Link

Document

Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response.

Usage

From source file:com.okta.tools.awscli.java

License:Open Source License

private static AssumeRoleWithSAMLResult assumeAWSRole(String resultSAML) {
    // Decode SAML response
    resultSAML = resultSAML.replace("+", "+").replace("=", "=");
    String resultSAMLDecoded = new String(Base64.decodeBase64(resultSAML));

    ArrayList<String> principalArns = new ArrayList<String>();
    ArrayList<String> roleArns = new ArrayList<String>();

    //When the app is not assigned to you no assertion is returned
    if (!resultSAMLDecoded.contains("arn:aws")) {
        logger.error("\nYou do not have access to AWS through Okta. \nPlease contact your administrator.");
        System.exit(0);/* w  w  w.ja v a2 s.c o  m*/
    }

    System.out.println("\nPlease choose the role you would like to assume: ");

    //Gather list of applicable AWS roles
    int i = 0;
    while (resultSAMLDecoded.indexOf("arn:aws") != -1) {
        /*Trying to parse the value of the Role SAML Assertion that typically looks like this:
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
        arn:aws:iam::[AWS-ACCOUNT-ID]:saml-provider/Okta,arn:aws:iam::[AWS-ACCOUNT-ID]:role/[ROLE_NAME]
        </saml2:AttributeValue>
        </saml2:Attribute>
        */
        int start = resultSAMLDecoded.indexOf("arn:aws");
        int end = resultSAMLDecoded.indexOf("</saml2:", start);
        String resultSAMLRole = resultSAMLDecoded.substring(start, end);
        String[] parts = resultSAMLRole.split(",");
        principalArns.add(parts[0]);
        roleArns.add(parts[1]);
        System.out.println("[ " + (i + 1) + " ]: " + roleArns.get(i));
        resultSAMLDecoded = (resultSAMLDecoded
                .substring(resultSAMLDecoded.indexOf("</saml2:AttributeValue") + 1));
        i++;
    }

    //Prompt user for role selection
    int selection = numSelection(roleArns.size());

    String principalArn = principalArns.get(selection);
    String roleArn = roleArns.get(selection);
    crossAccountRoleName = roleArn.substring(roleArn.indexOf("/") + 1);

    //creates empty AWS credentials to prevent the AWSSecurityTokenServiceClient object from unintentionally loading the previous profile we just created
    BasicAWSCredentials awsCreds = new BasicAWSCredentials("", "");

    //use user credentials to assume AWS role
    AWSSecurityTokenServiceClient stsClient = new AWSSecurityTokenServiceClient(awsCreds);

    AssumeRoleWithSAMLRequest assumeRequest = new AssumeRoleWithSAMLRequest().withPrincipalArn(principalArn)
            .withRoleArn(roleArn).withSAMLAssertion(resultSAML).withDurationSeconds(3600); //default token duration to 12 hours

    return stsClient.assumeRoleWithSAML(assumeRequest);
}