Creating IAM SAML identity providers
An IAM SAML 2.0 identity provider is an entity in IAM that describes an external
identity provider (IdP) service that supports the SAML 2.0 (Security Assertion Markup Language
2.0)
For more information about this scenario, see About SAML 2.0-based federation.
You can create and manage an IAM identity provider in the Amazon Web Services Management Console or with Amazon CLI, Tools for Windows PowerShell, or Amazon API calls.
After you create a SAML provider, you must create one or more IAM roles. A role is an identity in Amazon that doesn't have its own credentials (as a user does). But in this context, a role is dynamically assigned to a federated user that is authenticated by your organization's IdP. The role permits your organization's IdP to request temporary security credentials for access to Amazon. The policies assigned to the role determine what the federated users are allowed to do in Amazon. To create a role for SAML federation, see Creating a role for a third-party Identity Provider (federation).
Finally, after you create the role, you complete the SAML trust by configuring your IdP with information about Amazon and the roles that you want your federated users to use. This is referred to as configuring relying party trust between your IdP and Amazon. To configure relying party trust, see Configuring your SAML 2.0 IdP with relying party trust and adding claims.
Topics
- Creating and managing an IAM SAML identity provider (console)
- Creating and managing an IAM SAML Identity Provider (Amazon CLI)
- Creating and managing an IAM SAML identity provider (Amazon API)
- Configuring your SAML 2.0 IdP with relying party trust and adding claims
- Integrating third-party SAML solution providers with Amazon
- Configuring SAML assertions for the authentication response
Creating and managing an IAM SAML identity provider (console)
You can use the Amazon Web Services Management Console to create and delete IAM SAML identity providers.
To create an IAM SAML identity provider (console)
-
Before you can create an IAM SAML identity provider, you need the SAML metadata document that you get from the IdP. This document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. To generate the metadata document, use the identity management software your organization uses as its IdP. For instructions on how to configure many of the available IdPs to work with Amazon, including how to generate the required SAML metadata document, see Integrating third-party SAML solution providers with Amazon.
Important
This metadata file includes the issuer name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) received from the IdP. The metadata file must be encoded in UTF-8 format without a byte order mark (BOM). To remove the BOM, you can encode the file as UTF-8 using a text editing tool, such as Notepad++.
The x.509 certificate included as part of the SAML metadata document must use a key size of at least 1024 bits. Also, the x.509 certificate must also be free of any repeated extensions. You can use extensions, but the extensions can only appear once in the certificate. If the x.509 certificate does not meet either condition, IdP creation fails and returns an "Unable to parse metadata" error.
As defined by the SAML V2.0 Metadata Interoperability Profile Version 1.0
, IAM neither evaluates nor takes action regarding the expiration of the metadata document’s X.509 certificate. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. -
In the navigation pane, choose Identity providers and then choose Add provider.
-
For Configure provider, choose SAML.
-
Type a name for the identity provider.
-
For Metadata document, choose Choose file, specify the SAML metadata document that you downloaded in Step 1.
-
(Optional) For Add tags you can add key–value pairs to help you identify and organize your IdPs. You can also use tags to control access to Amazon resources. To learn more about tagging SAML identity providers, see Tagging IAM SAML identity providers.
Choose Add tag. Enter values for each tag key-value pair.
-
Verify the information that you have provided. When you are done, choose Add provider.
-
Assign an IAM role to your identity provider to give external user identities managed by your identity provider permissions to access Amazon resources in your account. To learn more about creating roles for identity federation, see Creating a role for a third-party Identity Provider (federation).
Note
SAML IDPs used in a role trust policy must be in the same account that the role is in.
To delete a SAML provider (console)
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. -
In the navigation pane, choose Identity providers.
-
Select the radio button next to the identity provider that you want to delete.
-
Choose Delete. A new window opens.
-
Confirm that you want to delete the provider by typing the word
delete
in the field. Then, choose Delete.
Creating and managing an IAM SAML Identity Provider (Amazon CLI)
You can use the Amazon CLI to create and manage SAML providers.
Before you can create an IAM identity provider, you need the SAML metadata document that you get from the IdP. This document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. To generate the metadata document, use the identity management software your organization uses as its IdP. For instructions on how to configure many of the available IdPs to work with Amazon, including how to generate the required SAML metadata document, see Integrating third-party SAML solution providers with Amazon.
Important
This metadata file includes the issuer name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) received from the IdP. The metadata file must be encoded in UTF-8 format without a byte order mark (BOM). To remove the BOM, you can encode the file as UTF-8 using a text editing tool, such as Notepad++.
The x.509 certificate included as part of the SAML metadata document must use a key size of at least 1024 bits. Also, the x.509 certificate must also be free of any repeated extensions. You can use extensions, but the extensions can only appear once in the certificate. If the x.509 certificate does not meet either condition, IdP creation fails and returns an "Unable to parse metadata" error.
As defined by the SAML V2.0
Metadata Interoperability Profile Version 1.0
To create an IAM identity provider and upload a metadata document (Amazon CLI)
-
Run this command:
aws iam create-saml-provider
To upload a new metadata document for an IAM identity provider (Amazon CLI)
-
Run this command:
aws iam update-saml-provider
To tag an existing IAM identity provider (Amazon CLI)
-
Run this command:
aws iam tag-saml-provider
To list tags for existing IAM identity provider (Amazon CLI)
-
Run this command:
aws iam list-saml-provider-tags
To remove tags on an existing IAM identity provider (Amazon CLI)
-
Run this command:
aws iam untag-saml-provider
To delete an IAM SAML identity provider (Amazon CLI)
-
(Optional) To list information for all providers, such as the ARN, creation date, and expiration, run the following command:
-
(Optional) To get information about a specific provider, such as the ARN, creation date, and expiration, run the following command:
-
To delete an IAM identity provider, run the following command:
Creating and managing an IAM SAML identity provider (Amazon API)
You can use the Amazon API to create and manage SAML providers.
Before you can create an IAM identity provider, you need the SAML metadata document that you get from the IdP. This document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. To generate the metadata document, use the identity management software your organization uses as its IdP. For instructions on how to configure many of the available IdPs to work with Amazon, including how to generate the required SAML metadata document, see Integrating third-party SAML solution providers with Amazon.
Important
The metadata file must be encoded in UTF-8 format without a byte order mark (BOM). Also, the X.509 certificate that is included as part of the SAML metadata document must use a key size of at least 1024 bits. If the key size is smaller, the IdP creation fails with an "Unable to parse metadata" error. To remove the BOM, you can encode the file as UTF-8 using a text editing tool, such as Notepad++.
To create an IAM identity provider and upload a metadata document (Amazon API)
-
Call this operation:
CreateSAMLProvider
To upload a new metadata document for an IAM identity provider (Amazon API)
-
Call this operation:
UpdateSAMLProvider
To tag an existing IAM identity provider (Amazon API)
-
Call this operation:
TagSAMLProvider
To list tags for an existing IAM identity provider (Amazon API)
-
Call this operation:
ListSAMLProviderTags
To remove tags on an existing IAM identity provider (Amazon API)
-
Call this operation:
UntagSAMLProvider
To delete an IAM identity provider (Amazon API)
-
(Optional) To list information for all IdPs, such as the ARN, creation date, and expiration, call the following operation:
-
(Optional) To get information about a specific provider, such as the ARN, creation date, and expiration, call the following operation:
-
To delete an IdP, call the following operation: