public AssumeRoleWithSAMLRequest ChooseAwsRoleToAssume(string samlAssertion) { Dictionary <string, string> roleIdpPairs = AwsSamlRoleUtils.GetRoles(samlAssertion); List <string> roleArns = new List <string>(); string principalArn; string roleArn; if (roleIdpPairs.ContainsKey(environment.awsRoleToAssume)) { principalArn = roleIdpPairs[environment.awsRoleToAssume]; roleArn = environment.awsRoleToAssume; } else if (roleIdpPairs.Count > 1) { List <AccountOption> accountOptions = GetAvailableRoles(samlAssertion); Console.WriteLine("\nPlease choose the role you would like to assume: "); //Gather list of applicable AWS roles int i = 0; int j = -1; foreach (AccountOption accountOption in accountOptions) { Console.WriteLine(accountOption.accountName); foreach (RoleOption roleOption in accountOption.roleOptions) { roleArns.Add(roleOption.roleArn); Console.WriteLine("\t[ " + (i + 1) + " ]: " + roleOption.roleName); if (roleOption.roleArn.Equals(environment.awsRoleToAssume)) { j = i; } i++; } } if ((environment.awsRoleToAssume != null && !string.IsNullOrWhiteSpace(environment.awsRoleToAssume)) && j == -1) { Console.WriteLine("No match for role " + environment.awsRoleToAssume); } // Default to no selection int selection; // If config.properties has matching role, use it and don't prompt user to select if (j >= 0) { selection = j; Console.WriteLine("Selected option " + (j + 1) + " based on OKTA_AWS_ROLE_TO_ASSUME value"); } else { //Prompt user for role selection selection = MenuHelper.PromptForMenuSelection(roleArns.Count); } roleArn = roleArns[selection]; principalArn = roleIdpPairs[roleArn]; } else { var role = roleIdpPairs.First(); Console.WriteLine("Auto select role as only one is available : " + role.Key); roleArn = role.Key; principalArn = role.Value; } var request = new AssumeRoleWithSAMLRequest { PrincipalArn = principalArn, RoleArn = roleArn, SAMLAssertion = samlAssertion, DurationSeconds = environment.stsDuration }; return(request); }
private List <AccountOption> GetAvailableRoles(string samlResponse) { var document = AwsSamlRoleUtils.GetSigninPageDocument(samlResponse); return(AwsSamlSigninParser.ParseAccountOptions(document)); }