1

I've been digging into setting up custom auth for AWS SFTP and it's one hell of a black hole. There's lot's of references to being able to use a custom idp, but no concrete examples.

We're using Active Directory and currently have AWS SSO setup so federating with SAML seems possible, in theory. For my test instance, I have a Microsoft AD set up in Directory Services with SSO enabled.

Amazon's example provides a cloud formation template that is largely based on a lambda function. The lambda function is very simple and validates a password hardcoded into the lambda against Amazon Secrets. Obviously, that isn't practical.

Has anyone done this? How were you able to get it working?

I guess an alternate question would be has anyone used a lambda to authenticate against AD?

Here are some resources I've looked at. Only the one on Cognito User Pools provides a detailed walk through of any sort of alternate set up. We may be able to use Cognito Identity Pools, but user pools are not something that will work in our use case.

AWS Docs on Custom Auth for SFTP

Integrate SFTP with Cognito User Pools

detailed walkthrough of basic sftp set up

more information on custom idp

Improve this question
0

1 Answer 1

Reset to default
0

You can use a similar approach as the blog post with the custom identity provider, but replace AWS Cognito API calls with Active Directory bind.

Here is a related code fragment:

exports.authorize = async function(event) {
  return new Promise((resolve, reject) => {
    const username = event.pathParameters.user;
    const password = event.headers.Password;

    console.log(`Performing authentication for user ${username}`);

    client.bind(`${username}@${process.env.LDAP_DIRECTORY_NAME}`, password, err => {
      if (err) {
        reject(err);
      } else {
        const response = {
          headers: {
            "Access-Control-Allow-Origin": "*",
            "Content-Type": "application/json"
          },
          body: getSftpPolicy(username),
          statusCode: 200
        };
        resolve(response);
      }
    });
  });
};

You can find more information in this blog post. Please also feel free to use this GitHub repository with the project template.

Improve this answer
4
  • That looks perfect! Thank you so much. Your guys' blogs have been a huge help in sorting this stuff out. Going to test it out this solution this afternoon.
    – AddGarbanzos
    Commented Oct 1, 2019 at 19:50
  • So I got your version with Simple AD up and running in a test instance, but I'm having issues getting it to talk properly with our setup. We have an AD Connector set up in Directory Services. Currently trying to figure out how to configure a test event for the lambda function, but am not entirely sure the syntax to use. Would you have any ideas on how to approach this?
    – AddGarbanzos
    Commented Oct 4, 2019 at 23:41
  • Do you mean the SFTP event for the AWS Lambda? Try logging the event/request in the AWS Lambda and check the result in CloudWatch. As for the issue with the AD Connector, it's very setup-specific, so it will require analyzing your setup...
    – Volodymyr Rudyi
    Commented Oct 6, 2019 at 16:57
  • 1
    Thanks for the extra help! I actually figured out the issue. AWS SFTP username constraints apply whether you are using the managed idp or a custom idp... which don't allow periods. Our default AD names are "first.last". Once I changed the test user to "first-last" it worked fine. Determining if that will be a blocker or not is a different matter altogether. I'll mark this as solved!
    – AddGarbanzos
    Commented Oct 9, 2019 at 16:39

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .