List of published manuals

List of manuals for contractors

Configuring the entitlements Attribute

This section describes examples of how to configure the entitlements attribute for IIJ ID User.

[ Reference ]

The following configuration files are provided as reference examples.

Configure actual settings in accordance with your environment.

Sample description 1. Set the attribute value of each user attribute for AD to entitlements
Option Description
What to realize Store the ID values of Amazon Web Services in the "carLicense" attribute of AD users
Pass them to Amazon Web Services as the values of "https://aws.amazon.com/SAML/Attributes/RoleSessionName", which is the SAML Attribute name
How to realize

Map AD carLicense attributes

The type name of the entitlements attribute for IIJ ID User should be "aws_id" for easier use in SAML linkage.
Corresponding method

1.Set the entitlements attribute to iid.scim.attribute.user.default as shown below.

iid:
 
  scim:
 
    attribute:
 
      user:
 
        default:
 
          entitlements:
 
            - primary:           false
 
              type:              aws_id

2.Set the entitlements attribute to iid.scim.attribute.user.ad_bind as shown below.

iid:
 
  scim:
 
    attribute:
 
      user:
 
        ad_bind:
 
          entitlements:
 
            - value:             carLicense
config.yml sample 
log:
 
  loglevel:                      info
 
ad:
 
  ldap:
 
    cache_disabled:              true
 
    server:
 
      addresses:
 
                                 - 192.168.0.100
 
                                 - 192.168.0.101
 
      user:                      'CN=iid_proxyadmin,CN=Users,DC=example,DC=local'
 
      encryption:                none
 
    base_dn:                     'DC=example,DC=local'
 
    filter:
 
      user:                      'memberOf:1.2.840.113556.1.4.1941:=CN=IID_IDaaS user group,OU=IID_Groups,DC=example,DC=local'
 
      group:                     'memberOf:1.2.840.113556.1.4.1941:=CN=IID_IDaaS user group,OU=IID_Groups,DC=example,DC=local'
 
iid:
 
  scim:
 
    http:
 
      proxy:
 
        use:                     false
 
        address:                 192.168.0.10
 
        port:                    8080
 
    attribute:
 
      user:
 
        default:
 
          emails:
 
            - primary:           true
 
          entitlements:
 
            - primary:           false
 
              type:              aws_id
 
        ad_bind:
 
          externalId:            userPrincipalName
 
          userName:              sAMAccountName
 
          name:
 
            familyName:          sn
 
            givenName:           givenName
 
          active:
 
                                 - userAccountControl
 
                                 - accountExpires
 
          emails:
 
            - value:             mail
 
          entitlements:
 
            - value:             carLicense
 
      group:
 
        ad_bind:
 
          externalId:            objectGUID
 
          displayName:           name
 
          email:                 mail
Sample description 2. Set a fixed value that does not exist in each AD user attribute to entitlements
Option Description
What to realize Pass "arn:aws:iam::0123456789012:saml-provider/IIJID,arn:aws:iam::0123456789012:role/IIJID_SAML_SSO_Role," a fixed value that does not exist as each AD user attribute, to Amazon Web Services as the value of "https://aws.amazon.com/SAML/Attributes/Role", which is the SAML Attribute name
Policy

Map the appropriate value as a fixed value without relating each AD user attribute.

The type name of the entitlements attribute for IIJ ID User should be set as "aws_role" for easier use in SAML linkage.
Corresponding method

1.Set the entitlements attribute to iid.scim.attribute.user.default as shown below.

iid:
 
  scim:
 
    attribute:
 
      user:
 
        default:
 
          entitlements:
 
            - primary:           false
 
              value:             arn:aws:iam::0123456789012:saml-provider/IIJID,arn:aws:iam::0123456789012:role/IIJID_SAML_SSO_Role
 
              type:              aws_role

2.Set the entitlements attribute to iid.scim.attribute.user.ad_bind as shown below.

iid:
 
  scim:
 
    attribute:
 
      user:
 
        ad_bind:
 
          entitlements:
 
            - value:
config.yml sample 
log:
 
  loglevel:                      info
 
ad:
 
  ldap:
 
    cache_disabled:              true
 
    server:
 
      addresses:
 
                                 - 192.168.0.100
 
                                 - 192.168.0.101
 
      user:                      'CN=iid_proxyadmin,CN=Users,DC=example,DC=local'
 
      encryption:                none
 
    base_dn:                     'DC=example,DC=local'
 
    filter:
 
      user:                      'memberOf:1.2.840.113556.1.4.1941:=CN=IID_IDaaS user group,OU=IID_Groups,DC=example,DC=local'
 
      group:                     'memberOf:1.2.840.113556.1.4.1941:=CN=IID_IDaaS user group,OU=IID_Groups,DC=example,DC=local'
 
iid:
 
  scim:
 
    http:
 
      proxy:
 
        use:                     false
 
        address:                 192.168.0.10
 
        port:                    8080
 
    attribute:
 
      user:
 
        default:
 
          emails:
 
            - primary:           true
 
          entitlements:
 
            - primary:           false
 
              value:             arn:aws:iam::0123456789012:saml-provider/IIJID,arn:aws:iam::0123456789012:role/IIJID_SAML_SSO_Role
 
              type:              aws_role
 
        ad_bind:
 
          externalId:            userPrincipalName
 
          userName:              sAMAccountName
 
          name:
 
            familyName:          sn
 
            givenName:           givenName
 
          active:
 
                                 - userAccountControl
 
                                 - accountExpires
 
          emails:
 
            - value:             mail
 
          entitlements:
 
            - value:
 
      group:
 
        ad_bind:
 
          externalId:            objectGUID
 
          displayName:           name
 
          email:                 mail
Sample description 3. Set the AD attribute value and the fixed value that does not exist in each AD user attribute to entitlements
Option Description
What to realize (1) Store the ID values of Amazon Web Services in the "carLicense" attribute of AD users
Pass them to Amazon Web Services as the values of "https://aws.amazon.com/SAML/Attributes/RoleSessionName", which is the SAML Attribute name

(2) Pass "arn:aws:iam::0123456789012:saml-provider/IIJID,arn:aws:iam::0123456789012:role/IIJID_SAML_SSO_Role," a fixed value that does not exist as each AD user attribute, to Amazon Web Services as the value of "https://aws.amazon.com/SAML/Attributes/Role", which is the SAML Attribute name
Policy

(1) Map AD carLicense attributes.

The type name of the entitlements attribute for IIJ ID User should be "aws_id" for easier use in SAML linkage

(2) Map the appropriate value as a fixed value without relating each AD user attribute.

The type name of the entitlements attribute for IIJ ID User should be set as "aws_role" for easier use in SAML linkage.
Corresponding method

1.Set the entitlements attribute to iid.scim.attribute.user.default as shown below.

iid:
 
  scim:
 
    attribute:
 
      user:
 
        default:
 
          entitlements:
 
            - primary:           false
 
              type:              aws_id
 
            - primary:           false
 
              value:             arn:aws:iam::0123456789012:saml-provider/IIJID,arn:aws:iam::0123456789012:role/IIJID_SAML_SSO_Role
 
              type:              aws_role

2.Set the entitlements attribute to iid.scim.attribute.user.ad_bind as shown below.

iid:
 
  scim:
 
    attribute:
 
      user:
 
        ad_bind:
 
          entitlements:
 
            - value:             carLicense
 
            - value:
config.yml sample 
log:
 
  loglevel:                      info
 
ad:
 
  ldap:
 
    cache_disabled:              true
 
    server:
 
      addresses:
 
                                 - 192.168.0.100
 
                                 - 192.168.0.101
 
      user:                      'CN=iid_proxyadmin,CN=Users,DC=example,DC=local'
 
      encryption:                none
 
    base_dn:                     'DC=example,DC=local'
 
    filter:
 
      user:                      'memberOf:1.2.840.113556.1.4.1941:=CN=IID_IDaaS user group,OU=IID_Groups,DC=example,DC=local'
 
      group:                     'memberOf:1.2.840.113556.1.4.1941:=CN=IID_IDaaS user group,OU=IID_Groups,DC=example,DC=local'
 
iid:
 
  scim:
 
    http:
 
      proxy:
 
        use:                     false
 
        address:                 192.168.0.10
 
        port:                    8080
 
    attribute:
 
      user:
 
        default:
 
          emails:
 
            - primary:           true
 
          entitlements:
 
            - primary:           false
 
              type:              aws_id
 
            - primary:           false
 
              value:             arn:aws:iam::0123456789012:saml-provider/IIJID,arn:aws:iam::0123456789012:role/IIJID_SAML_SSO_Role
 
              type:              aws_role
 
        ad_bind:
 
          externalId:            userPrincipalName
 
          userName:              sAMAccountName
 
          name:
 
            familyName:          sn
 
            givenName:           givenName
 
          active:
 
                                 - userAccountControl
 
                                 - accountExpires
 
          emails:
 
            - value:             mail
 
          entitlements:
 
            - value:             carLicense
 
            - value:
 
      group:
 
        ad_bind:
 
          externalId:            objectGUID
 
          displayName:           name
 
          email:                 mail