How to assume AWS SAML Role for the API or AWS CLI using ADFS and MFA authentication.

SecureMFA PowerShell module command “Get-sMFA-AWS-Assume_SAML_Role “ allows to assume AWS Role(s) from SAML assertion.

Prerequisites

• Configured access to the AWS Management Console for my Active Directory users using federation. As detailed in the following article

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html

• ADFS service enforces MFA during user authentication. A free version of MFA for ADFS can be configured using “SecureMFA OTP Provider”

https://www.securemfa.com/downloads/mfa-otp

• Users must be able to login with SAML Roles into AWS console using AWS relying party from browser

https://FQDN/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices

Deployment Steps

1) Deploy latest “SecureMFA” PowerShell Module from Microsoft PSGallery by using bellow PS commands:

Install-Module -Name SecureMFA -Scope AllUsers -Repository PSGallery

2) Update FQDN for "aws_sts_saml_endpoint" in SecureMFA_SupportTools.json to reflect your ADFS service hostname.

3) Run below PS Command. Command will assume available user roles from AWS STS SAML Endpoint and configure 'sMFA-SAML' profile in /.aws/credentials file with aws_access_key_id and aws_secret_access_key

Get-sMFA-AWS-Assume_SAML_Role -AWS_ProfileName sMFA-SAML

Deployment Video

Video shows How to assume AWS SAML Role for the API or AWS CLI using ADFS and MFA authentication. It uses SecureMFA PowerShell Module download from Microsoft PowerShell gallery. ADFS MFA authentication for users is enforced with a free provider version (which runs for a limited number of 24 users) that can be downloaded from www.securemfa.com . A Module allows to assume AWS Role(s) from SAML assertation and configure AWS profile in /.aws/credentials file with aws_access_key_id and aws_secret_access_key to be used by CLI or API calls.