From b4a064d85338129a8c0ebf7234e0f796f0157224 Mon Sep 17 00:00:00 2001
From: Chris Hubing <chubing@internet2.edu>
Date: Thu, 4 Oct 2018 10:53:51 -0400
Subject: [PATCH] Initial commit for shell script to add SAML integration to
 AWS account

---
 create_saml_aws.sh | 11 +++++++++++
 idp.xml            |  0
 shibpolicy.json    | 17 +++++++++++++++++
 3 files changed, 28 insertions(+)
 create mode 100644 create_saml_aws.sh
 create mode 100644 idp.xml
 create mode 100644 shibpolicy.json

diff --git a/create_saml_aws.sh b/create_saml_aws.sh
new file mode 100644
index 0000000..4695223
--- /dev/null
+++ b/create_saml_aws.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+echo \# run the following commands replacing name with the IDP name (if needed)
+echo
+echo aws iam create-saml-provider --saml-metadata-document file://login.at.internet2.edu-metadata.xml --name login.at.internet2.edu
+echo
+echo \# edit shibpolicy.json and replace the ARN with the ARN of the new account
+echo
+echo aws iam create-role --role-name administrator --assume-role-policy-document file://shibpolicy.json
+echo aws iam attach-role-policy --role-name administrator --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
+echo aws iam create-role --role-name readonly --assume-role-policy-document file://shibpolicy.json
+echo aws iam attach-role-policy --role-name readonly --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess
diff --git a/idp.xml b/idp.xml
new file mode 100644
index 0000000..e69de29
diff --git a/shibpolicy.json b/shibpolicy.json
new file mode 100644
index 0000000..ad889aa
--- /dev/null
+++ b/shibpolicy.json
@@ -0,0 +1,17 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "sts:AssumeRoleWithSAML",
+      "Principal": {
+        "Federated": "arn:aws:iam::123456789012:saml-provider/login.at.internet2.edu"
+      },
+      "Condition": {
+        "StringEquals": {
+          "SAML:aud": "https://signin.aws.amazon.com/saml"
+        }
+      }
+    }
+  ]
+}