Generate Iam Sts Access Key Keys Adfs

11.04.2020
81 Comments

To access AWS resources in another account you can create dedicated IAM user or use IAM roles. If you decide to create user, you need to generate username and password for AWS Console or access keys for API. Baking this keys in your code is almost always a bad idea. By setting up roles for cross-account access you don’t need to create. Temporary security credentials work almost identically to the long-term access key credentials that your IAM users can use, with the following differences: Temporary security credentials are short-term, as the name implies.

I want to test SAML 2.0 federation and commands using the AWS Command Line Interface (AWS CLI) for testing purposes and to verify API calls. How can I do this?

Short Description

Access

Before you begin, confirm that you configured the following:

  • An instance with the AWS CLI installed, or have the AWS CLI installed on your local system.
  • A SAML federation server.
  • Role Amazon Resource Name (ARN), identify provider (IdP) ARN, and SAML Response.

Resolution

Follow these instructions to make the API call, save the output to a text file, and then use it to call an API command with the AWS CLI.

Note: You must have the SAML response from your IdP. This example uses AD FS 2.0, which doesn't have an API call set up to get a response.

Get SAML Response from developer tools.

1. Follow the instructions for How to View a SAML Response in Your Browser for Troubleshooting.

2. Scroll to the logs and open the SAML log file.

3. Copy the entire SAML response.

Run this command with AWS CLI on your instance to save the credentials.

1. Paste the SAML response at the end of this command, and run it to call the STS token:

This saves the credentials in a profile inside the ~/.aws/credentials file. To make a backup, use this command:

Note: Make sure you have a matching profile in ~/.aws/config with the output and region set, so that you are not repeatedly prompted to enter it.

Generate Iam Sts Access Key Keys Adfs

Use saved credentials to run an AWS CLI command for testing.

Now that you have the credentials saved, you'll call it using the --profile parameter on your AWS CLI calls. For example:

Example outputs:

assume-role-with-saml output without piping to a file:

assume-role-with-saml output piped to the credentials file:

Related Information

How do I grant my Active Directory users access to the API or AWS Command Line Interface (AWS CLI) with Active Directory Federation Services (AD FS)?

Anything we could improve?

Need more help?

Related Videos

Watch Komal's video to learn more (5:54)
-->

Key Specification (“KeySpec”) is a property associated with a certificate and key. It specifies whether a private key associated with a certificate can be used for signing, encryption, or both.

Generate Iam Sts Access Key Keys Adfs Server

An incorrect KeySpec value can cause AD FS and Web Application Proxy errors such as:

  • Failure to establish a SSL/TLS connection to AD FS or the Web Application Proxy, with no AD FS events logged (though SChannel 36888 and 36874 events may be logged)
  • Failure to login at the AD FS or WAP forms based authentication page, with no error message shown on the page.

Serial key generator no download no survey free. You may see the following in the event log:

What causes the problem

The KeySpec property identifies how a key generated or retrieved by Microsoft CryptoAPI (CAPI), from a Microsoft legacy Cryptographic Storage Provider (CSP), can be used.

A KeySpec value of 1, or AT_KEYEXCHANGE, can be used for signing and encryption. A value of 2, or AT_SIGNATURE, is only used for signing.

The most common KeySpec mis-configuration is using a value of 2 for a certificate other than the token signing certificate.

For certificates whose keys were generated using Cryptography Next Generation (CNG) providers, there is no concept of key specification, and the KeySpec value will always be zero.

See how to check for a valid KeySpec value below.

Example

Access Key Blanks

An example of a legacy CSP is the Microsoft Enhanced Cryptographic Provider.

Microsoft RSA CSP key blob format includes an algorithm identifier, either CALG_RSA_KEYX or CALG_RSA_SIGN, respectively, to service requests for either AT_KEYEXCHANGE **or **AT_SIGNATURE keys.

The RSA key algorithm identifiers map to KeySpec values as follows

Provider supported algorithmKey Specification value for CAPI calls
CALG_RSA_KEYX : RSA key that can be used for signing and decryptionAT_KEYEXCHANGE (or KeySpec=1)
CALG_RSA_SIGN : RSA signature only keyAT_SIGNATURE (or KeySpec=2)

KeySpec values and associated meanings

The following are the meanings of the various KeySpec values:

Keyspec valueMeansRecommended AD FS use
0The certificate is a CNG certSSL certificate only
1For a legacy CAPI (non-CNG) cert, the key can be used for signing and decryptionSSL, token signing, token decrypting, service communication certificates
2For a legacy CAPI (non-CNG) cert, the key can be used only for signingnot recommended

How to check the KeySpec value for your certificates / keys

To see a certificates value you can use the certutil command line tool.

The following is an example: certutil –v –store my. This will dump the certificate information to the screen.

Under CERT_KEY_PROV_INFO_PROP_ID look for two things:

  1. ProviderType: this denotes whether the certificate uses a legacy Cryptographic Storage Provider (CSP) or a Key Storage Provider based on newer Certificate Next Generation (CNG) APIs. Any non-zero value indicates a legacy provider.

  2. KeySpec: The following are valid KeySpec values for an AD FS certificate:

    Legacy CSP provider (ProviderType not equal to 0):

    AD FS Certificate PurposeValid KeySpec Values
    Service Communication1
    Token Decrypting1
    Token Signing1 and 2
    SSL1

    CNG provider (ProviderType = 0):

    AD FS Certificate PurposeValid KeySpec Values
    SSL0

How to change the keyspec for your certificate to a supported value

Changing the KeySpec value does not require the certificate to be re-generated or re-issued by the Certificate Authority. The KeySpec can be changed by re-importing the complete certificate and private key from a PFX file into the certificate store using the steps below:

  1. First, check and record the private key permissions on the existing certificate so that they can be re-configured if necessary after the re-import.
  2. Export the certificate including private key to a PFX file.
  3. Perform the following steps for each AD FS and WAP server
    1. Delete the certificate (from the AD FS / WAP server)
    2. Open an elevated PowerShell command prompt and import the PFX file on each AD FS and WAP server using the cmdlet syntax below, specifying the AT_KEYEXCHANGE value (which works for all AD FS certificate purposes):
      1. C:>certutil –importpfx certfile.pfx AT_KEYEXCHANGE
      2. Enter PFX password
    3. Once the above completes, do the following
      1. check the private key permissions
      2. restart the adfs or wap service