Amazon Web Services allows to delegate authentication through SAML2.
SAML as the provider typeSAML / Saml 2.0 federationAllow programmatic and AWSManagement Console access which will fill in the rest of the form for you, then click next.Review.dn: uid=user,ou=people,dc=your,dc=com ... ou: sysadmin ou: database ou: root
arn:aws:iam::account-number:role/role-name1,arn:aws:iam::account-number:saml-provider/provider-name. The parts you need to change are account-number, role-name1 and provier-name. The last two will be the provider name and role names you just set up in AWS.aws_eu_role → $ou =~ sysadmin ? “arn:aws…” : “arn:…”z_aws_roles → join(“; ”, $role_name1, $role_name2, …)SAML service providers, then Add SAML SP.Metadata, then enter `https://signin.aws.amazon.com/static/saml-metadata.xml` in the URL field, then click load.Exported attributes on the left, then Add attribute twice to add two attributes. The first field is the name of a variable set in the user's session:_whatToTrace → https://aws.amazon.com/SAML/Attributes/RoleSessionName (leave the rest)z_aws_roles (the macro name you defined above) → https://aws.amazon.com/SAML/Attributes/Role (leave the rest)New application. https://your.portal.com/saml/singleSignOn?IDPInitiated=1&sp=urn:amazon:webservicesEnabled