How To Configure ADFS In AWS - Jun 7, 2019

Here are some quick references to configure ADFS in AWS. This is originally developed by Jeff on the AWS Security Blog

  1. Install ADFS Role and IIS role
  2. Rename the server
  3. Generate self-signed certificate
  4. Configure ADFS role

Use the command below to download the ADFS metadata XML file

Invoke-WebRequest -Uri https://adfs.contoso.local/FederationMetadata/2007-06/FederationMetadata.xml -outfile FederationMetadata.xml

Configure ADFS with the neeed IAM ARNs for the SAML IDP and IAM Role:

  • arn:aws:iam::AWS-ACCOUNT-ID:saml-provider/SAML
  • arn:aws:iam::AWS-ACCOUNT-ID:role/SAML

Trusted Relying Party

https://signin.aws.amazon.com/static/saml-metadata.xml

Rule 1:

- Type: Transform an Incoming Claim
- Claim rule name: NameId
- Incoming claim type: Windows Account Name
- Outgoing claim type: Name ID
- Outgoing name ID format: Persistent Identifier
- Pass through all claim values: checked 

Rule 2:

- Rule Tye: Send LDAP Attributes as Claims
- Claim rule name: RoleSessionName 
- Attribute store: Active Directory 
- LDAP Attribute: E-Mail-Addresses 
- Outgoing Claim Type : https://aws.amazon.com/SAML/Attributes/RoleSessionName

Rule 3:

- Rule Type: Send Claims Using a Custom Rule
- Claim rule name: Get AD Groups
- Input the below:

c:[Type == "http://temp/variable", Value =~ "(?i)^AWS-"] => issue(Type = "https://aws.amazon.com/SAML/Attributes/Role", Value = RegExReplace(c.Value, "SAML", "arn:aws:iam::AWS-ACCOUNT-ID:saml-provider/SAML,arn:aws:iam::AWS-ACCOUNT-ID:role/SAML"));

Rule 4:

- Rule Type: Send Claims Using a Custom Rule
- Claim rule name: Roles
- Input the below to transpose the AD Group Name to IAM Role Name:

c:[Type == "http://temp/variable", Value =~ "(?i)^AWS-"] => issue(Type = "https://aws.amazon.com/SAML/Attributes/Role", Value = RegExReplace(c.Value, "AWS-", "arn:aws:iam::AWS-ACCOUNT-ID:saml-provider/ADFS,arn:aws:iam::AWS-ACCOUNT-ID:role/ADFS-"));

- Input the below to just pass the user

=> issue(Type = "https://aws.amazon.com/SAML/Attributes/Role", Value = "arn:aws:iam::AWS-ACCOUNT-ID:saml-provider/Apt922,arn:aws:iam::AWS-ACCOUNT-ID:role/SAML");

The below URL is the sign-in page:

https://localhost/adfs/ls/IdpInitiatedSignOn.aspx

For Windows 2016, you need to enable the page with the command below:

Set-AdfsProperties –EnableIdpInitiatedSignonPage $True

Setup OS Ticket on Debian 9.8 - Apr 22, 2019

This is how I configured OS Ticket on Debian 9.8.

Distributor ID: Debian
Description:    Debian GNU/Linux 9.8 (stretch)
Release:        9.8
Codename:       stretch

Use apt-get install to install some packages

apt-get install apache2 mysql-server net-tools php php php-apcu php-imap php-intl php-mbstring php-mysql php-xml php7.0-gd postfix unzip -yf

Create MySQL Database and Username

create database osticket;
CREATE USER 'osticket'@'localhost' IDENTIFIED BY 'YourPasswordHere';
GRANT ALL PRIVILEGES ON osticket.* TO 'osticket'@'localhost';

Download, Unzip, and Copy OS Ticket

  • OS Ticket
  • unzip osTicket-v1.11.zip
  • cp -r upload/ /var/www/html/osticket

Change to the directory and modify permissions

  • cd /var/www/html/osticket
  • chmod -R 775 *
  • chown -R www-data:www-data *

Copy the sample configuration, modify its permissions

cd /var/www/html/osticket
cp include/ost-sampleconfig.php include/ost-config.php
chmod 0666 include/ost-config.php

Configure OS Ticket at your website

Clean Up After Installation & Configuration

  • cd /var/www/html/osticket
  • rm -rf setup/
  • chmod 644 include/ost-config.php

Configure Postfix To Use Gmail As SMTP Relay

nano /etc/postfix/main.cf
relayhost = [smtp-relay.gmail.com]:587

OS Ticket URL Examples

PowerShell Change Modify Date - Mar 27, 2019

This PowerShell one-liner sets the lastwritetime from null to lastaccesstime.

$(Get-Item FILEHERE).lastwritetime = $(Get-Item FILEHERE).lastaccesstime

Source

CloudFormation Template For Simple 3 VPC - Feb 15, 2019

This is a work-in-progress CloudFormation template. The template creates three VPCs. Each VPC has a WAN and NAT subnet. A WAN subnet has an internet gateway while a NAT subnet has a NAT gateway. The route tables for each VPC are updated accordingly. I use this to move between regions for testing purposes.

CloudFormation Template

Migrating to Jekyll and AWS - Feb 8, 2019

I had this website in a traditional WordPress website (MySQL and debian). I’ve been learning more about Amazon Web Services products. I have seen a lot of starter blogs/tutorials on doing a static website. I learned a little about Lambda and NodeJS. I found EnduroJS which helps create NodeJS websites. However, there was a lot of overhead running NodeJS for my simple website.

So, I went to Jekyll a Ruby based static website generator. And here we are.

I paired Jekyll with AWS S3, AWS Cloudfront, and Route53. Route53 allows you to point to a Cloudfront distribution point. Then, Cloudfront is used to point to the S3 bucket. Nice!