AWS::WorkSpacesWeb::IdentityProvider - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).


This resource specifies an identity provider that is then associated with a web portal. This resource is not required if your portal's AuthenticationType is IAM Identity Center.


To declare this entity in your Amazon CloudFormation template, use the following syntax:


{ "Type" : "AWS::WorkSpacesWeb::IdentityProvider", "Properties" : { "IdentityProviderDetails" : {Key: Value, ...}, "IdentityProviderName" : String, "IdentityProviderType" : String, "PortalArn" : String } }


Type: AWS::WorkSpacesWeb::IdentityProvider Properties: IdentityProviderDetails: Key: Value IdentityProviderName: String IdentityProviderType: String PortalArn: String



The identity provider details. The following list describes the provider detail keys for each identity provider type.

  • For Google and Login with Amazon:

    • client_id

    • client_secret

    • authorize_scopes

  • For Facebook:

    • client_id

    • client_secret

    • authorize_scopes

    • api_version

  • For Sign in with Apple:

    • client_id

    • team_id

    • key_id

    • private_key

    • authorize_scopes

  • For OIDC providers:

    • client_id

    • client_secret

    • attributes_request_method

    • oidc_issuer

    • authorize_scopes

    • authorize_url if not available from discovery URL specified by oidc_issuer key

    • token_url if not available from discovery URL specified by oidc_issuer key

    • attributes_url if not available from discovery URL specified by oidc_issuer key

    • jwks_uri if not available from discovery URL specified by oidc_issuer key

  • For SAML providers:

    • MetadataFile OR MetadataURL

    • IDPSignout (boolean) optional

    • IDPInit (boolean) optional

    • RequestSigningAlgorithm (string) optional - Only accepts rsa-sha256

    • EncryptedResponses (boolean) optional

Required: Yes

Type: Object of String

Pattern: ^[\s\S]*$

Minimum: 0

Maximum: 131072

Update requires: No interruption


The identity provider name.

Required: Yes

Type: String

Pattern: ^[^_][\p{L}\p{M}\p{S}\p{N}\p{P}][^_]+$

Minimum: 1

Maximum: 32

Update requires: No interruption


The identity provider type.

Required: Yes

Type: String

Allowed values: SAML | Facebook | Google | LoginWithAmazon | SignInWithApple | OIDC

Update requires: No interruption


The ARN of the identity provider.

Required: No

Type: String

Pattern: ^arn:[\w+=\/,.@-]+:[a-zA-Z0-9\-]+:[a-zA-Z0-9\-]*:[a-zA-Z0-9]{1,12}:[a-zA-Z]+(\/[a-fA-F0-9\-]{36})+$

Minimum: 20

Maximum: 2048

Update requires: Replacement

Return values


When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource's Amazon Resource Name (ARN).

For more information about using the Ref function, see Ref.



The ARN of the identity provider.