SAMLImmutableCredentials ICoreAmazonSTS.CredentialsFromSAMLAuthentication(
#endif
string endpoint,
string authenticationType,
string roleARN,
TimeSpan credentialDuration,
ICredentials userCredential)
{
SAMLAssertion assertion;
try
{
var authController = new SAMLAuthenticationController(Config.GetWebProxy());
assertion = authController.GetSAMLAssertion(endpoint, userCredential, authenticationType);
}
catch (Exception e)
{
throw new FederatedAuthenticationFailureException("Authentication failure, unable to obtain SAML assertion.", e);
}
try
{
return(assertion.GetRoleCredentials(this, roleARN, credentialDuration));
}
catch (Exception e)
{
throw new AmazonClientException("Credential generation failed following successful authentication.", e);
}
}
protected override void ProcessRecord()
{
try
{
string selectedRoleARN = null;
NetworkCredential networkCredential = null;
if (this.NetworkCredential != null)
{
networkCredential = this.NetworkCredential.GetNetworkCredential();
}
var havePrincipal = ParameterWasBound("PrincipalARN");
var haveRole = ParameterWasBound("RoleARN");
if (havePrincipal != haveRole)
{
ThrowExecutionError("RoleARN must be specified with PrincipalARN.", this);
}
if (havePrincipal && haveRole)
{
selectedRoleARN = string.Concat(PrincipalARN, ",", RoleARN);
}
WriteVerbose("Authenticating with endpoint to verify role data...");
var samlEndpoint = (new SAMLEndpointManager()).GetEndpoint(EndpointName);
var authenticationController = new SAMLAuthenticationController();
var samlAssertion = authenticationController.GetSAMLAssertion(samlEndpoint.EndpointUri.ToString(),
networkCredential, samlEndpoint.AuthenticationType.ToString());
RegionEndpoint stsRegionEndpoint = null;
if (!string.IsNullOrEmpty(STSEndpointRegion))
{
stsRegionEndpoint = RegionEndpoint.GetBySystemName(STSEndpointRegion);
}
if (StoreAllRoles)
{
string domainUser = null;
if (networkCredential != null)
{
// some credentials are entered in email format, so do not assume a domain
// was present
if (string.IsNullOrEmpty(networkCredential.Domain))
{
domainUser = networkCredential.UserName;
}
else
{
domainUser = string.Format(@"{0}\{1}", networkCredential.Domain, networkCredential.UserName);
}
}
var availableRoles = samlAssertion.RoleSet;
foreach (var roleName in availableRoles.Keys)
{
selectedRoleARN = availableRoles[roleName];
WriteVerbose(string.Format("Saving role '{0}' to profile '{1}'.", selectedRoleARN, roleName));
var options = new CredentialProfileOptions()
{
EndpointName = EndpointName,
RoleArn = selectedRoleARN,
UserIdentity = domainUser
};
SettingsStore.RegisterProfile(options, roleName, null, stsRegionEndpoint);
WriteObject(roleName);
}
}
else
{
var profileName = SelectAndStoreProfileForRole(samlAssertion.RoleSet, selectedRoleARN, networkCredential, stsRegionEndpoint);
WriteObject(profileName);
}
}
catch (Exception e)
{
this.ThrowTerminatingError(new ErrorRecord(new ArgumentException("Unable to set credentials: " + e.Message, e),
"ArgumentException",
ErrorCategory.InvalidArgument,
this));
}
}
