List of published manuals

List of manuals for contractors

IIJ ID Service Directory Sync Manual [Windows Active Directory]

Configuring the entitlements Attribute

This section describes examples of how to configure the entitlements attribute for IIJ ID User.

[ Reference ]

The following configuration files are provided as reference examples.

Configure actual settings in accordance with your environment.

Sample description 1. Set the attribute value of each user attribute for AD to entitlements
OptionDescription
What to realizeStore the ID values of Amazon Web Services in the "carLicense" attribute of AD users
Pass them to Amazon Web Services as the values of "https://aws.amazon.com/SAML/Attributes/RoleSessionName", which is the SAML Attribute name
How to realize

Map AD carLicense attributes

The type name of the entitlements attribute for IIJ ID User should be "aws_id" for easier use in SAML linkage.

Corresponding method

1.Set the entitlements attribute to iid.scim.attribute.user.default as shown below.

iid:
  scim:
    attribute:
      user:
        default:
          entitlements:
            - primary:           false
              type:              aws_id

2.Set the entitlements attribute to iid.scim.attribute.user.ad_bind as shown below.

iid:
  scim:
    attribute:
      user:
        ad_bind:
          entitlements:
            - value:             carLicense
config.yml sample
log:
  loglevel:                      info

ad:
  ldap:
    cache_disabled:              true
    server:
      addresses:
                                 - 192.168.0.100
                                 - 192.168.0.101
      user:                      'CN=iid_proxyadmin,CN=Users,DC=example,DC=local'
      encryption:                none
    base_dn:                     'DC=example,DC=local'
    filter:
      user:                      'memberOf:1.2.840.113556.1.4.1941:=CN=IID_IDaaS user group,OU=IID_Groups,DC=example,DC=local'
      group:                     'memberOf:1.2.840.113556.1.4.1941:=CN=IID_IDaaS user group,OU=IID_Groups,DC=example,DC=local'

iid:
  scim:
    http:
      proxy:
        use:                     false
        address:                 192.168.0.10
        port:                    8080
    attribute:
      user:
        default:
          emails:
            - primary:           true
          entitlements:
            - primary:           false
              type:              aws_id
        ad_bind:
          externalId:            userPrincipalName
          userName:              sAMAccountName
          name:
            familyName:          sn
            givenName:           givenName
          active:
                                 - userAccountControl
                                 - accountExpires
          emails:
            - value:             mail
          entitlements:
            - value:             carLicense
      group:
        ad_bind:
          externalId:            objectGUID
          displayName:           name
          email:                 mail
Sample description 2. Set a fixed value that does not exist in each AD user attribute to entitlements
OptionDescription
What to realizePass "arn:aws:iam::0123456789012:saml-provider/IIJID,arn:aws:iam::0123456789012:role/IIJID_SAML_SSO_Role," a fixed value that does not exist as each AD user attribute, to Amazon Web Services as the value of "https://aws.amazon.com/SAML/Attributes/Role", which is the SAML Attribute name
Policy

Map the appropriate value as a fixed value without relating each AD user attribute.

The type name of the entitlements attribute for IIJ ID User should be set as "aws_role" for easier use in SAML linkage.

Corresponding method

1.Set the entitlements attribute to iid.scim.attribute.user.default as shown below.

iid:
  scim:
    attribute:
      user:
        default:
          entitlements:
            - primary:           false
              value:             arn:aws:iam::0123456789012:saml-provider/IIJID,arn:aws:iam::0123456789012:role/IIJID_SAML_SSO_Role
              type:              aws_role

2.Set the entitlements attribute to iid.scim.attribute.user.ad_bind as shown below.

iid:
  scim:
    attribute:
      user:
        ad_bind:
          entitlements:
            - value:
config.yml sample
log:
  loglevel:                      info

ad:
  ldap:
    cache_disabled:              true
    server:
      addresses:
                                 - 192.168.0.100
                                 - 192.168.0.101
      user:                      'CN=iid_proxyadmin,CN=Users,DC=example,DC=local'
      encryption:                none
    base_dn:                     'DC=example,DC=local'
    filter:
      user:                      'memberOf:1.2.840.113556.1.4.1941:=CN=IID_IDaaS user group,OU=IID_Groups,DC=example,DC=local'
      group:                     'memberOf:1.2.840.113556.1.4.1941:=CN=IID_IDaaS user group,OU=IID_Groups,DC=example,DC=local'

iid:
  scim:
    http:
      proxy:
        use:                     false
        address:                 192.168.0.10
        port:                    8080
    attribute:
      user:
        default:
          emails:
            - primary:           true
          entitlements:
            - primary:           false
              value:             arn:aws:iam::0123456789012:saml-provider/IIJID,arn:aws:iam::0123456789012:role/IIJID_SAML_SSO_Role
              type:              aws_role
        ad_bind:
          externalId:            userPrincipalName
          userName:              sAMAccountName
          name:
            familyName:          sn
            givenName:           givenName
          active:
                                 - userAccountControl
                                 - accountExpires
          emails:
            - value:             mail
          entitlements:
            - value:
      group:
        ad_bind:
          externalId:            objectGUID
          displayName:           name
          email:                 mail
Sample description 3. Set the AD attribute value and the fixed value that does not exist in each AD user attribute to entitlements
OptionDescription
What to realize(1) Store the ID values of Amazon Web Services in the "carLicense" attribute of AD users
Pass them to Amazon Web Services as the values of "https://aws.amazon.com/SAML/Attributes/RoleSessionName", which is the SAML Attribute name

(2) Pass "arn:aws:iam::0123456789012:saml-provider/IIJID,arn:aws:iam::0123456789012:role/IIJID_SAML_SSO_Role," a fixed value that does not exist as each AD user attribute, to Amazon Web Services as the value of "https://aws.amazon.com/SAML/Attributes/Role", which is the SAML Attribute name
Policy

(1) Map AD carLicense attributes.

The type name of the entitlements attribute for IIJ ID User should be "aws_id" for easier use in SAML linkage

(2) Map the appropriate value as a fixed value without relating each AD user attribute.

The type name of the entitlements attribute for IIJ ID User should be set as "aws_role" for easier use in SAML linkage.

Corresponding method

1.Set the entitlements attribute to iid.scim.attribute.user.default as shown below.

iid:
  scim:
    attribute:
      user:
        default:
          entitlements:
            - primary:           false
              type:              aws_id
            - primary:           false
              value:             arn:aws:iam::0123456789012:saml-provider/IIJID,arn:aws:iam::0123456789012:role/IIJID_SAML_SSO_Role
              type:              aws_role

2.Set the entitlements attribute to iid.scim.attribute.user.ad_bind as shown below.

iid:
  scim:
    attribute:
      user:
        ad_bind:
          entitlements:
            - value:             carLicense
            - value:
config.yml sample
log:
  loglevel:                      info

ad:
  ldap:
    cache_disabled:              true
    server:
      addresses:
                                 - 192.168.0.100
                                 - 192.168.0.101
      user:                      'CN=iid_proxyadmin,CN=Users,DC=example,DC=local'
      encryption:                none
    base_dn:                     'DC=example,DC=local'
    filter:
      user:                      'memberOf:1.2.840.113556.1.4.1941:=CN=IID_IDaaS user group,OU=IID_Groups,DC=example,DC=local'
      group:                     'memberOf:1.2.840.113556.1.4.1941:=CN=IID_IDaaS user group,OU=IID_Groups,DC=example,DC=local'
iid:
  scim:
    http:
      proxy:
        use:                     false
        address:                 192.168.0.10
        port:                    8080
    attribute:
      user:
        default:
          emails:
            - primary:           true
          entitlements:
            - primary:           false
              type:              aws_id
            - primary:           false
              value:             arn:aws:iam::0123456789012:saml-provider/IIJID,arn:aws:iam::0123456789012:role/IIJID_SAML_SSO_Role
              type:              aws_role
        ad_bind:
          externalId:            userPrincipalName
          userName:              sAMAccountName
          name:
            familyName:          sn
            givenName:           givenName
          active:
                                 - userAccountControl
                                 - accountExpires
          emails:
            - value:             mail
          entitlements:
            - value:             carLicense
            - value:
      group:
        ad_bind:
          externalId:            objectGUID
          displayName:           name
          email:                 mail