Table of Contents

Class StoredProfileFederatedCredentials

Namespace
Amazon.Runtime
Assembly
AWSSDK.Core.dll

Temporary credentials that are created following successful authentication with a federated endpoint supporting SAML.

[Obsolete("This class is obsolete and will be removed in a future release. Please use Amazon.Runtime.FederatedAWSCredentials.  Visit http://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/net-dg-config-creds.html for further details.")]
public class StoredProfileFederatedCredentials : RefreshingAWSCredentials, IDisposable
Inheritance
StoredProfileFederatedCredentials
Implements
Inherited Members

Remarks

  1. Currently only the SDK store supports profiles that contain the necessary data to support authentication and role-based credential generation. The ini-format files used by the AWS CLI and some other SDKs are not supported at this time.
  2. In order to use the StoredProfileFederatedCredentials class the AWSSDK.SecurityToken assembly must be available to your application at runtime.

Constructors

StoredProfileFederatedCredentials()

Constructs an instance of StoredProfileFederatedCredentials using the profile name specified in the App.config. If no profile name is specified then the default credentials are used.

public StoredProfileFederatedCredentials()

StoredProfileFederatedCredentials(string)

Constructs an instance of StoredProfileFederatedCredentials. Credentials will be searched for using the profileName parameter.

public StoredProfileFederatedCredentials(string profileName)

Parameters

profileName string

The profile name to search for credentials for

StoredProfileFederatedCredentials(string, string)

Constructs an instance of StoredProfileFederatedCredentials. After construction call one of the Authenticate methods to authenticate the user/process and obtain temporary AWS credentials.

For users who are domain joined (the role profile does not contain user identity information) the temporary credentials will be refreshed automatically as needed. Non domain-joined users (those with user identity data in the profile) are required to re-authenticate when credential refresh is required. An exception is thrown when attempt is made to refresh credentials in this scenario. The consuming code of this class should catch the exception and prompt the user for credentials, then call Authenticate to re-initialize with a new set of temporary AWS credentials. 

public StoredProfileFederatedCredentials(string profileName, string profilesLocation)

Parameters

profileName string

The name of the profile holding the necessary role data to enable authentication and credential generation.

profilesLocation string

Reserved for future use.

Remarks

The ini-format credentials file is not currently supported for SAML role profiles.

StoredProfileFederatedCredentials(string, string, WebProxy)

Constructs an instance of StoredProfileFederatedCredentials. After construction call one of the Authenticate methods to authenticate the user/process and obtain temporary AWS credentials.

For users who are domain joined (the role profile does not contain user identity information) the temporary credentials will be refreshed automatically as needed. Non domain-joined users (those with user identity data in the profile) are required to re-authenticate when credential refresh is required. An exception is thrown when attempt is made to refresh credentials in this scenario. The consuming code of this class should catch the exception and prompt the user for credentials, then call Authenticate to re-initialize with a new set of temporary AWS credentials. 

public StoredProfileFederatedCredentials(string profileName, string profilesLocation, WebProxy proxySettings)

Parameters

profileName string

The name of the profile holding the necessary role data to enable authentication and credential generation.

profilesLocation string

Reserved for future use.

proxySettings WebProxy

Null or proxy settings to be used during the HHTPS authentication calls when generating credentials. ///

Remarks

The ini-format credentials file is not currently supported for SAML role profiles.

Fields

MaximumCredentialTimespan

The maximum allowed timespan for generated credentials, per STS documentation.

public static readonly TimeSpan MaximumCredentialTimespan

Field Value

TimeSpan

MinimumCredentialTimespan

The minimum allowed timespan for generated credentials, per STS documentation.

public static readonly TimeSpan MinimumCredentialTimespan

Field Value

TimeSpan

Properties

CustomCallbackState

Custom state to return to the registered callback to handle credential requests. The data will be contained in the CredentialRequestCallbackArgs instance supplied to the callback.

public object CustomCallbackState { get; }

Property Value

object

ProfileData

The data about the SAML endpoint and any required user credentials parsed from the profile.

public SAMLRoleProfile ProfileData { get; }

Property Value

SAMLRoleProfile

ProfileName

Name of the profile being used.

public string ProfileName { get; }

Property Value

string

ProfilesLocation

Location of the profiles, if used.

public string ProfilesLocation { get; }

Property Value

string

Methods

CanCreateFrom(string, string)

Tests if an instance can be created from the persisted profile data.

public static bool CanCreateFrom(string profileName, string profilesLocation)

Parameters

profileName string

The name of the profile to test.

profilesLocation string

The location of the shared ini-format credential file.

Returns

bool

True if the persisted data would yield a valid credentials instance.

Remarks

This profile type is currently only supported in the SDK credential store file. The shared ini-format file is not currently supported; any value supplied for the profilesLocation value is ignored.

GenerateNewCredentials()

Refresh credentials after expiry. If the role profile is configured with user identity information and a callback has been registered to obtain the user credential the callback will be invoked ahead of authentication. For role profiles configured with user identity but no callback registration, the SDK will fall back to attempting to use the default user identity of the current process.

protected override RefreshingAWSCredentials.CredentialsRefreshState GenerateNewCredentials()

Returns

RefreshingAWSCredentials.CredentialsRefreshState

SetCredentialCallbackData(RequestUserCredential, object)

Registers a callback handler for scenarios where credentials need to be supplied during user authentication (primarily the non-domain-joined use case). Custom data, which will be supplied in the CredentialRequestCallbackArgs instance passed to the callback, can also be supplied.

The callback will only be invoked if the underlying SAML role profile indicates it was set up for use with a specific identity. For profiles that do not contain any user identity the SDK will default to using the identity of the current process during authentication. Additionally, if the profile contain user identity information but no callback has been registered, the SDK will also attempt to use the current process identity during authentication. 

public void SetCredentialCallbackData(StoredProfileFederatedCredentials.RequestUserCredential callback, object customData)

Parameters

callback StoredProfileFederatedCredentials.RequestUserCredential

The handler to be called

customData object

Custom state data to be supplied in the arguments to the callback.

Remarks

Only one callback handler can be registered. The call to the handler will be made on whatever thread is executing at the time a demand to provide AWS credentials is made. If the handler code requires that UI need to be displayed, the handler should transition to the UI thread as appropriate.

Validate()

Performs any additional validation we may require on the profile content.

protected override void Validate()