STS Actions:Assume Role With SAML

Search (SHIFT+S)

Assume Role With SAML

POST AssumeRoleWithSAML

Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response.

Query Parameters

DurationSeconds	The duration, in seconds, of the role session.
InlineSessionPolicy	An IAM policy in JSON format that you want to use as an inline session policy.
PolicyArns	The ARNs of the IAM managed policies that you want to use as managed session policies. The policies must exist in the same account as the role.
PrincipalArn	The ARN of the SAML provider in IAM that describes the Identity Provider.
RoleArn	The ARN of the role to assume.
SAMLAssertion	The base-64 encoded SAML authentication response provided by the IdP.

Required Roles

This call has no restrictions.

Request Payload

No Request Payload

Response Body

Field	Description	Type	Notes
AssumeRoleWithSAMLResponse
Result
AssumedRoleUser
Arn	The ARN of the temporary security credentials that are returned from the AssumeRole action.	String
AssumedRoleId	A unique identifier that contains the role ID and the role session name of the role that is being assumed. The role ID is generated by AWS when the role is created.	String
Audience	The value of the Recipient attribute of the SubjectConfirmationData element of the SAML assertion.	String
Credentials
AccessKeyId	The access key ID that identifies the temporary security credentials.	String
Expiration	The date on which the current credentials expire.	String
SecretAccessKey	The secret access key that can be used to sign requests.	String
SessionToken	The token that users must pass to the service API to use the temporary credentials.	String
Issuer	The value of the Issuer element of the SAML assertion.	String
NameQualifier	A hash value based on the concatenation of the Issuer response value, the AWS account ID, and the friendly name (the last part of the ARN) of the SAML provider in IAM. The combination of NameQualifier and Subject can be used to uniquely identify a federated user. The following pseudocode shows how the hash value is calculated: BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) )	String
PackedPolicySize	A percentage value that indicates the packed size of the session policies and session tags combined passed in the request.	Integer
Subject	The value of the NameID element in the Subject element of the SAML assertion.	String
SubjectType	The format of the name ID, as defined by the Format attribute in the NameID element of the SAML assertion. Typical examples of the format are transient or persistent.	String
ResponseMetadata
RequestId		String

Examples

Request

NOTE: SAML Assertion must be url-encoded as a query parameter for the Action.
      Encode SAML assertion using https://www.url-encode-decode.com/

POST https://192.168.0.0:4443/sts?Action=AssumeRoleWithSAML&RoleArn=urn:ecs:iam::s3:role/ADFS-Dev&PrincipalArn=urn:ecs:iam::s3:saml-provider/provider1&SAMLAssertion=VERY_LONG_SAML_ASSERTION_ENCODED
Accept: */*
X-SDS-AUTH-TOKEN: <AUTH_TOKEN>
x-emc-namespace: <namespace>

Response

HTTP/1.1 200 OK
Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns2:AssumeRoleWithSAMLResponse xmlns:ns2="none">
  <ResponseMetadata>
    <RequestId>0af7b369:1716b1ce62e:5a4c5:16</RequestId>
  </ResponseMetadata>
  <AssumeRoleWithSAMLResult>
    <AssumedRoleUser>
      <Arn>urn:ecs:sts::s3:assumed-role/ADFS-Dev/Bob@emc.com</Arn>
      <AssumedRoleId>AROAF8121EC54C95F7E5:Bob@emc.com</AssumedRoleId>
    </AssumedRoleUser>
    <Audience/>
    <Credentials>
      <AccessKeyId>ASIA9C420E220EB12D95</AccessKeyId>
      <Expiration>2020-04-16T18:35:47Z</Expiration>
      <SecretAccessKey>X7CGJcVvFbOS3VvtamCTjQ4OqQeypXjwYGXDYYALFVA</SecretAccessKey>
      <SessionToken>CgJzMxoUQVJPQURBQjE...wMkVBRDRDODlGRo867i9AU</SessionToken>
    </Credentials>
    <Issuer>http://AD.adfs.emc.com/adfs/services/trust</Issuer>
    <NameQualifier/>
    <Subject>ADFS\Bob</Subject>
    <SubjectType>persistent</SubjectType>
  </AssumeRoleWithSAMLResult>
</ns2:AssumeRoleWithSAMLResponse>

Request

NOTE: SAML Assertion must be url-encoded as a query parameter for the Action.
      Encode SAML assertion using https://www.url-encode-decode.com/

POST https://192.168.0.0:4443/sts?Action=AssumeRoleWithSAML&RoleArn=urn:ecs:iam::s3:role/ADFS-Dev&PrincipalArn=urn:ecs:iam::s3:saml-provider/provider1&SAMLAssertion=VERY_LONG_SAML_ASSERTION_ENCODED
Accept: */*
X-SDS-AUTH-TOKEN: <AUTH_TOKEN>
x-emc-namespace: <namespace>

Response

HTTP/1.1 200 OK
Content-Type: application/json
{
    "ResponseMetadata": {
        "RequestId": "0af9f5b8:171648dacb1:1bb9a:27"
    },
    "AssumeRoleWithSAMLResult": {
        "AssumedRoleUser": {
            "Arn":  urn:ecs:sts::s3:assumed-role/ADFS-Dev/Bob@emc.com",
            "AssumedRoleId": AROAF8121EC54C95F7E5:Bob@emc.com"
        },
        "Credentials": {
            "AccessKeyId": "ASIA65621B688D0682A5",
            "Expiration": "2020-04-16T18:35:47Z",
            "SecretAccessKey": "lU0qhcrJsl10wfkbN6tv4J6WPR6w",
            "SessionToken: "CgVpYW1ucxIEcm9vdBogd . . . XJUwMjVhM2NkNTCpnPO05i0"
        },
        "Issuer": "http://AD.adfs.emc.com/adfs/services/trust",
        "Subject": "ADFS\Bob",
        "SubjectType": "persistent"
    }
}