Dell Technologies ECS REST API

Search (SHIFT+S)




Assume Role With SAML

POST /iam?Action=AssumeRoleWithSAML

Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response.


Query Parameters

DurationSecondsThe duration, in seconds, of the role session.
InlineSessionPolicyAn IAM policy in JSON format that you want to use as an inline session policy.
PolicyArnsThe ARNs of the IAM managed policies that you want to use as managed session policies. The policies must exist in the same account as the role.
PrincipalArnThe ARN of the SAML provider in IAM that describes the Identity Provider.
RoleArnThe ARN of the role to assume.
SAMLAssertionThe base-64 encoded SAML authentication response provided by the IdP.

Required Roles

This call has no restrictions.


Request Payload

No Request Payload


Response Body

Field Description Type Notes
AssumeRoleWithSAMLResponse
Result    
AssumedRoleUser    
Arn The ARN of the temporary security credentials that are returned from the AssumeRole action. String
AssumedRoleId A unique identifier that contains the role ID and the role session name of the role that is being assumed. The role ID is generated by AWS when the role is created. String
Audience The value of the Recipient attribute of the SubjectConfirmationData element of the SAML assertion. String
Credentials    
AccessKeyId The access key ID that identifies the temporary security credentials. String
Expiration The date on which the current credentials expire. String
SecretAccessKey The secret access key that can be used to sign requests. String
SessionToken The token that users must pass to the service API to use the temporary credentials. String
Issuer The value of the Issuer element of the SAML assertion. String
NameQualifier A hash value based on the concatenation of the Issuer response value, the AWS account ID, and the friendly name (the last part of the ARN) of the SAML provider in IAM. The combination of NameQualifier and Subject can be used to uniquely identify a federated user. The following pseudocode shows how the hash value is calculated: BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) ) String
PackedPolicySize A percentage value that indicates the packed size of the session policies and session tags combined passed in the request. Integer
Subject The value of the NameID element in the Subject element of the SAML assertion. String
SubjectType The format of the name ID, as defined by the Format attribute in the NameID element of the SAML assertion. Typical examples of the format are transient or persistent. String
ResponseMetadata    
RequestId String

Examples

Request
NOTE: SAML Assertion must be url-encoded as a query parameter for the Action.
      Encode SAML assertion using https://www.url-encode-decode.com/

POST https://192.168.0.0:4443/sts?Action=AssumeRoleWithSAML&RoleArn=urn:ecs:iam::s3:role/ADFS-Dev&PrincipalArn=urn:ecs:iam::s3:saml-provider/provider1&SAMLAssertion=VERY_LONG_SAML_ASSERTION_ENCODED
Accept: */*
X-SDS-AUTH-TOKEN: <AUTH_TOKEN>
x-emc-namespace: <namespace>
Response
HTTP/1.1 200 OK
Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns2:AssumeRoleWithSAMLResponse xmlns:ns2="none">
  <ResponseMetadata>
    <RequestId>0af7b369:1716b1ce62e:5a4c5:16</RequestId>
  </ResponseMetadata>
  <AssumeRoleWithSAMLResult>
    <AssumedRoleUser>
      <Arn>urn:ecs:sts::s3:assumed-role/ADFS-Dev/Bob@emc.com</Arn>
      <AssumedRoleId>AROAF8121EC54C95F7E5:Bob@emc.com</AssumedRoleId>
    </AssumedRoleUser>
    <Audience/>
    <Credentials>
      <AccessKeyId>ASIA9C420E220EB12D95</AccessKeyId>
      <Expiration>2020-04-16T18:35:47Z</Expiration>
      <SecretAccessKey>X7CGJcVvFbOS3VvtamCTjQ4OqQeypXjwYGXDYYALFVA</SecretAccessKey>
      <SessionToken>CgJzMxoUQVJPQURBQjE...wMkVBRDRDODlGRo867i9AU</SessionToken>
    </Credentials>
    <Issuer>http://AD.adfs.emc.com/adfs/services/trust</Issuer>
    <NameQualifier/>
    <Subject>ADFS\Bob</Subject>
    <SubjectType>persistent</SubjectType>
  </AssumeRoleWithSAMLResult>
</ns2:AssumeRoleWithSAMLResponse>