Configure your SAML 2.0 IdP with relying party trust and adding claims
When you create an IAM identity provider and role for SAML access, you are telling Amazon about the external identity provider (IdP) and what its users are allowed to do. Your next step is to then tell the IdP about Amazon as a service provider. This is called adding relying party trust between your IdP and Amazon. The exact process for adding relying party trust depends on what IdP you're using. For details, see the documentation for your identity management software.
Many IdPs allow you to specify a URL from which the IdP can read an XML document that
contains relying party information and certificates. For Amazon, use
https://
or region-code
.signin.amazonaws.cn/static/saml-metadata.xmlhttps://signin.amazonaws.cn/static/saml-metadata.xml
. For a list of possible
region-code
values, see the Region column in
Amazon Sign-In
endpoints.
If you can't specify a URL directly, then download the XML document from the preceding URL and import it into your IdP software.
You also need to create appropriate claim rules in your IdP that specify Amazon as a relying party. When the IdP sends a SAML response to the Amazon endpoint, it includes a SAML assertion that contains one or more claims. A claim is information about the user and its groups. A claim rule maps that information into SAML attributes. This lets you make sure that SAML authentication responses from your IdP contain the necessary attributes that Amazon uses in IAM policies to check permissions for federated users. For more information, see the following topics:
-
Overview of the role to allow SAML-federated access to your Amazon resources. This topic discusses using SAML-specific keys in IAM policies and how to use them to restrict permissions for SAML-federated users.
-
Configure SAML assertions for the authentication response. This topic discusses how to configure SAML claims that include information about the user. The claims are bundled into a SAML assertion and included in the SAML response that is sent to Amazon. You must ensure that the information needed by Amazon policies is included in the SAML assertion in a form that Amazon can recognize and use.
-
Integrate third-party SAML solution providers with Amazon. This topic provides links to documentation provided by third-party organizations about how to integrate identity solutions with Amazon.
Note
To improve federation resiliency, we recommend that you configure your IdP and Amazon
federation to support multiple SAML sign-in endpoints. For details, see the Amazon Security
Blog article How to use regional SAML
endpoints for failover