Prerequisites and considerations
Before you set up trusted identity propagation, review the following prerequisites and considerations.
Prerequisites
To use trusted identity propagation, ensure your environment meets the following prerequisites:
-
Enable and provision IAM Identity Center
-
To use trusted identity propagation, you must enable IAM Identity Center in the same Amazon Web Services Region where the Amazon applications and services your users will access are enabled. For information, see Enable IAM Identity Center.
-
IAM Identity Center Organization instance is recommended - We recommend you use an organization instance of IAM Identity Center that you enable in the management account of Amazon Organizations. You can delegate administration of an organization instance of IAM Identity Center to a member account. If you choose an account instance of IAM Identity Center, all Amazon Web Services services that you want users to access with trusted identity propagation must reside in the same Amazon Web Services account where you enable IAM Identity Center. For more information, see Account instances of IAM Identity Center.
-
-
Connect your existing identity provider to IAM Identity Center and provision your users and groups into IAM Identity Center. For more information, see IAM Identity Center identity source tutorials.
-
-
Connect the Amazon managed applications and services in your trusted identity propagation use case to IAM Identity Center. To use trusted identity propagation, Amazon managed applications must be connected to IAM Identity Center.
Considerations
Keep in mind the following considerations when configuring and using trusted identity propagation:
-
Organization vs account instance of IAM Identity Center
-
An organization instance of IAM Identity Center will give you the most control and flexibility to grow your use cases to multiple Amazon Web Services accounts, users, and Amazon Web Services services. If you are unable to use an organization instance, your use case may be supported with account instances of IAM Identity Center. To learn more about which Amazon Web Services services in your use case support account instances of IAM Identity Center, see Amazon managed applications that you can use with IAM Identity Center.
-
-
Multi-account permissions (permission sets) not required
-
Trusted identity propagation doesn't require you to set up multi-account permissions (permission sets). You can enable IAM Identity Center and use it for trusted identity propagation only.
-
Considerations for customer managed applications
Your workforce can benefit from trusted identity propagation even if your users interact with client-facing applications that are not managed by Amazon, for example Tableau or your custom-developed applications. The users of these applications may not be provisioned in IAM Identity Center. To enable the smooth recognition and authorization of user access to Amazon resources, IAM Identity Center enables you to configure a trusted relationship between the identity provider authenticating your users and IAM Identity Center. For more information, see Using applications with a trusted token issuer.
In addition, configuring trusted identity propagation for your application will require:
-
Your application must use OAuth 2.0 framework for authentication. Trusted identity propagation does not support SAML 2.0 integrations.
-
Your application must be recognized by IAM Identity Center. Follow the guidance specific to your use case.