Considerations for changing your identity source

Assignments removed and users and groups deleted – Changing your identity source to Active Directory deletes your users and groups from the Identity Center directory. This change also removes your assignments. In this case, after you change to Active Directory, you must synchronize your users and groups from Active Directory into the Identity Center directory, and then reapply their assignments.

If you choose to not use Active Directory, you must create your users and groups in the Identity Center directory, and then make assignments.

Assignments aren't deleted when identities are deleted – When identities are deleted in the Identity Center directory, corresponding assignments also get deleted in IAM Identity Center. However in Active Directory, when identities are deleted (either in Active Directory or the synced identities), corresponding assignments aren't deleted.

No outbound synchronization for APIs – If you use Active Directory as your identity source, we recommend that you use the Create, Update, and Delete APIs with caution. IAM Identity Center doesn't support outbound synchronization, so your identity source doesn't automatically update with the changes that you make to users or groups using these APIs.

Access portal URL will change – Changing your identity source between IAM Identity Center and Active Directory also changes the URL for the Amazon Web Services access portal.

Existing user session expiration can take up to two hours – Once the users and groups are deleted from the Identity Center directory, users with active sessions can continue to access the Amazon Web Services access portal and integrated Amazon applications for up to two hours. For information about authentication session duration and user behavior, see Authentication.

Assignments and memberships work with correct assertions – your user assignments, group assignments, and group memberships continue to work as long as the new IdP sends the correct assertions (for example, SAML nameIDs). These assertions must match the user names and groups in IAM Identity Center.

No outbound synchronization – IAM Identity Center doesn't support outbound synchronization, so your external IdP won't automatically update with changes to users and groups that you make in IAM Identity Center.

SCIM provisioning – if you are using SCIM provisioning, changes to users and groups in your identity provider reflect only in IAM Identity Center after your identity provider sends those changes to IAM Identity Center. See Considerations for using automatic provisioning.

Rollback – you can revert your identity source back to using IAM Identity Center at any time. See Changing from an external IdP to IAM Identity Center.

Existing user sessions are revoked on session duration expiry – Once you change your identity source to an external identity provider, active user sessions persist for the remainder of the maximum session duration configured in the console. For example, if the Amazon Web Services access portal session duration is set to eight hours, and you changed the identity source in the fourth hour, active user sessions persist for an additional four hours. To revoke user sessions, see Delete sessions for the Amazon Web Services access portal and Amazon integrated applications.

If users are deleted or disabled in the IAM Identity Center console, using Identity Store APIs, or SCIM provisioning, users with active sessions can continue to access the Amazon Web Services access portal and integrated Amazon applications for up to two hours.

IAM Identity Center preserves all your assignments.

Force password reset – Users who had passwords in IAM Identity Center can continue signing in with their old passwords. For users who were in the external IdP and weren't in IAM Identity Center, an administrator must force a password reset.

Existing user sessions are revoked on session duration expiry – Once you change your identity source to IAM Identity Center, active user sessions persist for the remaining duration of the maximum session duration configured in the console. For example, if the Amazon Web Services access portal session duration is eight hours, and you changed the identity source at fourth hour, active user sessions continue to run for an additional four hours. To revoke user sessions, see Delete sessions for the Amazon Web Services access portal and Amazon integrated applications.

If users are deleted or disabled in the IAM Identity Center console, using Identity Store APIs, or SCIM provisioning, users with active sessions can continue to access the Amazon Web Services access portal and integrated Amazon applications for up to two hours.

Assignments and memberships work with correct assertions – IAM Identity Center preserves all of your assignments. The user assignments, group assignments, and group memberships continue to work as long as the new IdP sends the correct assertions (for example, SAML nameIDs).

These assertions must match the user names in IAM Identity Center when your users authenticate through the new external IdP.

SCIM provisioning – If you are using SCIM for provisioning into IAM Identity Center, we recommend that you review the IdP-specific information in this guide and the documentation provided by the IdP to ensure that the new provider matches users and groups correctly when SCIM is enabled.

Existing user sessions are revoked on session duration expiry – Once you change your identity source to different external identity provider, active user sessions persist for the remaining duration of the maximum session duration configured in the console. For example, if the Amazon Web Services access portal session duration is eight hours, and you changed the identity source at fourth hour, active user sessions persist for an additional four hours. To revoke user sessions, see Delete sessions for the Amazon Web Services access portal and Amazon integrated applications.

If users are deleted or disabled in the IAM Identity Center console, using Identity Store APIs, or SCIM provisioning, users with active sessions can continue to access the Amazon Web Services access portal and integrated Amazon applications for up to two hours.

Users, groups, and assignments are deleted – All users, groups, and assignments are deleted from IAM Identity Center. No user or group information is affected in either the external IdP or Active Directory.

Provisioning users – If you change to an external IdP, you must configure IAM Identity Center to provision your users. Alternatively, you must manually provision the users and groups for the external IdP before you can configure assignments.

Create assignments and groups – If you change to Active Directory, you must create assignments with the users and groups that are in your directory in Active Directory.

Existing user sessions expiration can take up to two hours – Once the users and groups are deleted from the Identity Center directory, users with active sessions can continue to access the Amazon Web Services access portal and integrated Amazon applications for up to two hours. For information about authentication session duration and user behavior, see Authentication.