Creating IAM identity providers - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating IAM identity providers

Note

We recommend that you require your human users to use temporary credentials when accessing Amazon. Have you considered using Amazon IAM Identity Center? You can use IAM Identity Center to centrally manage access to multiple Amazon Web Services accounts and provide users with MFA-protected, single sign-on access to all their assigned accounts from one place. With IAM Identity Center, you can create and manage user identities in IAM Identity Center or easily connect to your existing SAML 2.0 compatible identity provider. For more information, see What is IAM Identity Center? in the Amazon IAM Identity Center User Guide.

You can use an external identity provider (IdP) to manage user identities outside of Amazon. An external IdP can provide identity information to Amazon using either OpenID Connect (OIDC) or Security Assertion Markup Language (SAML). Examples of well-known OIDC identity providers are: Login with Amazon, Facebook, and Google. Examples of well-known SAML identity providers are: Shibboleth and Active Directory Federation Services.

When you want to configure federation with an external IdP, you create an IAM identity provider to inform Amazon about the external IdP and its configuration. This establishes "trust" between your Amazon Web Services account and the external IdP. The following topics include details about how to create an IAM identity provider for each of the external IdP types.

Topics