Connect to an external identity provider - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Connect to an external identity provider

If you're using a self-managed directory in Active Directory or an Amazon Managed Microsoft AD, see Connect to a Microsoft AD directory. For other external identity providers (IdPs), you can use Amazon IAM Identity Center to authenticate identities from the IdPs through the Security Assertion Markup Language (SAML) 2.0 standard. This enables your users to sign in to the Amazon Web Services access portal with their corporate credentials. They can then navigate to their assigned accounts, roles, and applications hosted in external IdPs.

For example, you can connect an external IdP such as Okta or Microsoft Entra ID, to IAM Identity Center. Your users can then sign in to the Amazon Web Services access portal with their existing Okta or Microsoft Entra ID credentials. To control what your users can do once they've signed in, you can assign them access permissions centrally across all the accounts and applications in your Amazon organization. In addition, developers can simply sign in to the Amazon Command Line Interface (Amazon CLI) using their existing credentials, and benefit from automatic short-term credential generation and rotation.

The SAML protocol does not provide a way to query the IdP to learn about users and groups. Therefore, you must make IAM Identity Center aware of those users and groups by provisioning them into IAM Identity Center.

Provisioning when users come from an external IdP

When using an external IdP, you must provision all applicable users and groups into IAM Identity Center before you can make any assignments to Amazon Web Services accounts or applications. To do this, you can configure Automatic provisioning for your users and groups, or use Manual provisioning. Regardless of how you provision users, IAM Identity Center redirects the Amazon Web Services Management Console, command line interface, and application authentication to your external IdP. IAM Identity Center then grants access to those resources based on policies you create in IAM Identity Center. For more information about provisioning, see User and group provisioning.

How to connect to an external identity provider

There are step-by-step tutorials available for the supported IdPs:

There are different prerequisites, considerations, and provisioning procedures for the different supported external IdPs. The following procedure provides a general overview of the procedure that's used with all external identity providers.

To connect to an external identity provider
  1. Open the IAM Identity Center console.

  2. Choose Settings.

  3. On the Settings page, choose the Identity source tab, and then choose Actions > Change identity source.

  4. Under Choose identity source, select External identity provider, and then choose Next.

  5. Under Configure external identity provider, do the following:

    1. Under Service provider metadata, choose Download metadata file to download the metadata file and save it on your system. The IAM Identity Center SAML metadata file is required by your external identity provider.

    2. Under Identity provider metadata, choose Choose file, and locate the metadata file that you downloaded from your external identity provider. Then upload the file. This metadata file contains the necessary public x509 certificate used to trust messages that are sent from the IdP.

    3. Choose Next.

    Important

    Changing your source to or from Active Directory removes all existing user and group assignments. You must manually reapply assignments after you have successfully changed your source.

  6. After you read the disclaimer and are ready to proceed, enter ACCEPT.

  7. Choose Change identity source. A status message informs you that you successfully changed the identity source.