No need to specify PrincipalArn and RoleArn in options panel anymore. Removed these options from the options panel. PrincipalArn and RoleArn is now parsed from the SAML Assertion itself.

Author: gtclaancom

background/script.js

@@ -1,9 +1,7 @@
 // Global variables
-var PrincipalArn = '';
-var RoleArn = '';
 var FileName = 'credentials.txt';
 
-// When this background process starts; Load Principal ARN, Role ARN, and output FileName 
+// When this background process starts, load variables from chrome storage 
 // from saved Extension Options
 loadItemsFromStorage();
 // Additionaly on start of the background process it is checked if this extension can be activated
@@ -43,13 +41,47 @@ function removeOnBeforeRequestEventListener() {
 // Callback function for the webRequest OnBeforeRequest EventListener
 // This function runs on each request to https://signin.aws.amazon.com/saml
 function onBeforeRequestEvent(details) {
+  // Decode base64 SAML assertion in the request
+  var samlXmlDoc = decodeURIComponent(unescape(window.atob(details.requestBody.formData.SAMLResponse[0])));
+  // Convert XML String to DOM
+  parser = new DOMParser()
+  domDoc = parser.parseFromString(samlXmlDoc, "text/xml");
+  // Get a list of claims (= AWS roles) from the SAML assertion
+  var roleDomNodes = domDoc.querySelectorAll('[Name="https://aws.amazon.com/SAML/Attributes/Role"]')[0].childNodes
+  // Parse the PrincipalArn and the RoleArn from the SAML Assertion.
+  var PrincipalArn = '';
+  var RoleArn = '';
+  var SAMLAssertion = details.requestBody.formData.SAMLResponse[0];
+   // If there is more than 1 role in the claim, look at the 'roleIndex' HTTP Form data parameter to determine the role to assume
+  if (roleDomNodes.length > 1 && "roleIndex" in details.requestBody.formData) {
+    for (i = 0; i < roleDomNodes.length; i++) { 
+      var nodeValue = roleDomNodes[i].innerHTML;
+      if (nodeValue.indexOf(details.requestBody.formData.roleIndex[0]) > -1) {
+        // This DomNode holdes the data for the role to assume. Use these details for the assumeRoleWithSAML API call
+        PrincipalArn = nodeValue.substring(0, nodeValue.indexOf(','));
+        RoleArn = nodeValue.substring(nodeValue.indexOf(',') + 1);
+        assumeRoleWithSAML(PrincipalArn, RoleArn, SAMLAssertion);
+      }
+    }
+  }
+  // If there is just 1 role in the claim there will be no 'roleIndex' in the form data.
+  else if (roleDomNodes.length == 1) {
+    // When there is just 1 role in the claim, use these details for the assumeRoleWithSAML API call
+    PrincipalArn = roleDomNodes[0].substring(0, roleDomNodes[0].indexOf(','));
+    RoleArn = roleDomNodes[0].substring(roleDomNodes[0].indexOf(',') + 1);
+    assumeRoleWithSAML(PrincipalArn, RoleArn, SAMLAssertion);
+  }
+}
+
+
+// Function called from onBeforeRequestEvent when SAMLProvider, Role and SAMLAssertion is available
+function assumeRoleWithSAML(PrincipalArn, RoleArn, SAMLAssertion) {
   // Set parameters needed for assumeRoleWithSAML method
   var params = {
     PrincipalArn: PrincipalArn,
     RoleArn: RoleArn,
-    SAMLAssertion: details.requestBody.formData.SAMLResponse[0],
+    SAMLAssertion: SAMLAssertion,
   };
-
   // Call STS API from AWS
   var sts = new AWS.STS();
   sts.assumeRoleWithSAML(params, function(err, data) {
@@ -65,7 +97,6 @@ function onBeforeRequestEvent(details) {
       chrome.downloads.download({ url: doc, filename: FileName, conflictAction: 'overwrite', saveAs: false });
     }        
   });
-
 }
 
 
@@ -96,12 +127,8 @@ chrome.runtime.onMessage.addListener(
 
 function loadItemsFromStorage() {
   chrome.storage.sync.get({
-    PrincipalArn: '',
-    RoleArn: '',
     FileName: 'credentials.txt'
   }, function(items) {
-    PrincipalArn = items.PrincipalArn;
-    RoleArn = items.RoleArn;
     FileName = items.FileName;
   });
 }

icons/icon.png

@@ -6,16 +6,6 @@
   <body>
     <h2>Options page for 'SAML to AWS STS Keys Converter'</h2>
 
-    <p><label>Specify the Principal ARN. This is the ARN of the SAML provider. For example: <b>arn:aws:iam::123456789123:saml-provider/my-adfs</b></label>
-    <br />
-    <input type="text" name="PrincipalArn" id="PrincipalArn" size="70">
-    </p>
-
-    <p><label>Specify the Role ARN. This is the ARN of the role you would like to assume. For example: <b>arn:aws:iam::123456789123:role/EC2Admin</b></label>
-    <br />
-    <input type="text" name="RoleArn" id="RoleArn" size="70">
-    </p>
-
     <p><label>Filename for writing the fetched AWS STS keys. File will be written to Chrome's download directory. Example filename: <b>credentials.txt</b></label>
     <br />
     <input type="text" name="FileName" id="FileName" size="70">

options/options.html

@@ -1,12 +1,8 @@
 // Saves options to chrome.storage
 function save_options() {
-  var PrincipalArn = document.getElementById('PrincipalArn').value;
-  var RoleArn = document.getElementById('RoleArn').value;
   var FileName = document.getElementById('FileName').value;
 
   chrome.storage.sync.set({
-    PrincipalArn: PrincipalArn,
-    RoleArn: RoleArn,
     FileName: FileName
   }, function() {
     // Update status to let user know options were saved.
@@ -27,12 +23,8 @@ function save_options() {
 function restore_options() {
   // Default values
   chrome.storage.sync.get({
-    PrincipalArn: 'arn:aws:iam::123456789123:saml-provider/my-adfs',
-    RoleArn: 'arn:aws:iam::123456789123:role/EC2Admin',
     FileName: 'credentials.txt'
   }, function(items) {
-    document.getElementById('PrincipalArn').value = items.PrincipalArn;
-    document.getElementById('RoleArn').value = items.RoleArn;
     document.getElementById('FileName').value = items.FileName;
   });
 }