SAML.to
  • Introduction
  • Installation
  • Configuration
    • Identity Providers
      • GitHub
    • Service Providers
      • AWS (Federated Roles)
        • Assuming Roles
          • AWS CLI
          • AWS SDKs
          • Docker
          • Terraform
          • Kubernetes
        • Adding Users
        • Adding AWS Accounts
        • Adding Roles
        • Roles for GitHub Actions
    • Configuration Reference
      • Substitutions
  • FAQs
  • Usage
    • CLI
      • login
      • assume
      • list-roles
    • GitHub Actions
      • Assume AWS Role Action
      • Config Sync Action
  • Advanced Usage
    • AWS
      • CloudWatch Dashboard Sharing
Powered by GitBook
On this page
  • Example Configuration File
  • Providers
  • Permissions
  1. Configuration
  2. Identity Providers

GitHub

Example Configuration File

The configuration file is broken into 2 separate sections for basic functionality: providers and permissions.

---
# Config Reference:
# https://docs.saml.to/configuration/reference
version: '20220101'
providers:
  aws:
    entityId: https://signin.aws.amazon.com/saml
    acsUrl: https://signin.aws.amazon.com/saml
    attributes:
      https://aws.amazon.com/SAML/Attributes/RoleSessionName: '<#= user.github.login #>'
      https://aws.amazon.com/SAML/Attributes/SessionDuration: '3600'
      https://aws.amazon.com/SAML/Attributes/Role: '<#= user.selectedRole #>,<#= provider.variables.providerArn #>'
permissions:
  aws:
    roles:
      - name: arn:aws:iam::123456789012:role/cnuss-admin
        provider:
          variables:
            providerArn: arn:aws:iam::123456789012:saml-provider/saml-to
        users:
          github:
            - github-user-id-1
            - github-user-id-2
            - octokat
        repos:
          github:
            - some-repo
            - other-org/some-other-repo

Providers

The key in the aforementioned configuration (e.g. aws) must match between the providers and permissions sections. This is how a permission relates back to a particular provider.

It contains information like the Assertion URLs, Entity ID and other SAML attributes.

Permissions

The permissions section details the Access Control Lists to various Service Providers and Roles.

The key of the Permission (e.g. aws) must be identical to the key of a provider.

For each role, you can define github users: and repos: in their respective sections. Defining users and repositories is optional, you can define both, or one or the other.

Granting Access to Repos in Another Organization

If you use multiple organizations in GitHub that might need to use the same provider in GitHub Actions, you can simply add the specify the Organization Name.

Assuming your GitHub organization is my-org and you have a repository my-repo that needs access to the admin role, and you have another organization my-other-org with another repository my-other-repo that needs access to the admin role, the configuration would look like this:

permissions:
  aws:
    roles:
      - name: arn:aws:iam::123456789012:role/admin
        ...
        repos:
          github:
            - my-repo
            - my-other-org/my-other-repo

You do not need to be a member or Administrator of the other Organization to make this work!

PreviousIdentity ProvidersNextService Providers

Last updated 2 years ago

The providers section details Service Providers (e.g. what services can a GitHub Token be used to log in with), for example using .

You can also use some light (<#= ... #>) for injection of variables when a SAML Assertion (i.e. Role Assumption) is requested by a user.

See for a detail on supported Service Providers that can be configured in the configuration file.

For more information, see the .

See for a detail on how to configure various Service Providers, such as AWS.

For more information, see the .

AWS Federated Roles
Substitution Syntax
Service Providers
Configuration Reference
Service Providers
Configuration Reference