Connect a self-managed directory in Active Directory to IAM Identity Center - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Connect a self-managed directory in Active Directory to IAM Identity Center

Users in your self-managed directory in Active Directory (AD) can also have single sign-on access to Amazon Web Services accounts and applications in the Amazon Web Services access portal. To configure single sign-on access for these users, you can do either of the following:

  • Create a two-way trust relationship – When two-way trust relationships are created between Amazon Managed Microsoft AD and a self-managed directory in AD, users in your self-managed directory in AD can sign in with their corporate credentials to various Amazon services and business applications. One-way trusts do not work with IAM Identity Center.

    Amazon IAM Identity Center requires a two-way trust so that it has permissions to read user and group information from your domain to synchronize user and group metadata. IAM Identity Center uses this metadata when assigning access to permission sets or applications. User and group metadata is also used by applications for collaboration, like when you share a dashboard with another user or group. The trust from Amazon Directory Service for Microsoft Active Directory to your domain permits IAM Identity Center to trust your domain for authentication. The trust in the opposite direction grants Amazon permissions to read user and group metadata.

    For more information about setting up a two-way trust, see When to Create a Trust Relationship in the Amazon Directory Service Administration Guide.

    Note

    In order to use Amazon applications, like IAM Identity Center to read Amazon Directory Service directory users from trusted domains, the Amazon Directory Service accounts require permissions to the userAccountControl attribute on the trusted users. Without read permissions to this attribute, Amazon applications are unable to determine if the account is enabled or disabled.

    Read access to this attribute is provided by default when a trust is created. If you deny access to this attribute (not recommended), you will break applications like Identity Center from being able to read trusted users. The solution is to specifically allow Read access to the userAccountControl attribute on the Amazon service accounts under the Amazon Reserved OU (prefixed with Amazon_).

  • Create an AD Connector – AD Connector is a directory gateway that can redirect directory requests to your self-managed AD without caching any information in the cloud. For more information, see Connect to a Directory in the Amazon Directory Service Administration Guide. The following are considerations when using AD Connector:

    • If you are connecting IAM Identity Center to an AD Connector directory, any future user password resets must be done from within AD. This means that users won't be able to reset their passwords from the Amazon Web Services access portal.

    • If you use AD Connector to connect your Active Directory Domain Service to IAM Identity Center, IAM Identity Center only has access to the users and groups of the single domain to which AD Connector attaches. If you need to support multiple domains or forests, use Amazon Directory Service for Microsoft Active Directory.

    Note

    IAM Identity Center does not work with SAMBA4-based Simple AD directories.