Custom SAML Session Tags for AWS
Session tags are used to enable attribute-based access control. With this strategy, you define permissions for attributes instead of roles. Transitive session tags are used to pass in attributes via SAML assertions when you federate into an AWS account from Kion. Kion stores these tags and checks for updates every time a user logs in.
Using Custom SAML Session Tags
Kion automatically passes any attributes defined in your SAML provider as transitive session tags, as long as they follow the correct naming conventions. To use this functionality, SAML assertions must be formatted as :
To start using custom SAML session tags, configure your SAML provider to pass over an assertion that follows the above format.
For example, if you were to pass the assertion
https://aws.amazon.com/SAML/Attributes/PrincipalTag:data-class, the key data-class and the value it is set to in your SAML provider (e.g. public) would be stored on the user. When the user federates into an AWS account using a cloud access role, Kion would automatically pass data-class:public to the session as a transitive session tag. Any permissions set on the data-class:public tag would then be applied to the user.
If you use an external ID in your trust policies, the external ID and any session tags must be in separate statements. For more information, see Adding an External ID to your Trust Policy.
For information on adding session tags to cloud access roles, see Add a User Cloud Access Role.