Menu
AWS Identity and Access Management
User Guide

Creating OpenID Connect (OIDC) Identity Providers

OIDC identity providers are entities in IAM that describe an identity provider (IdP) service that supports the OpenID Connect (OIDC) standard. You use an OIDC identity provider when you want to establish trust between an OIDC-compatible IdP—such as Google, Salesforce, and many others—and your AWS account. This is useful when creating a mobile app or web application that requires access to AWS resources, but you don't want to create custom sign-in code or manage your own user identities. For more information about this scenario, see About Web Identity Federation.

You can create and manage an OIDC identity provider using the AWS Management Console, the AWS Command Line Interface, the Tools for Windows PowerShell, or the IAM API.

Creating and Managing an OIDC Provider (Console)

Follow these instructions to create and manage an OIDC provider in the AWS Management Console.

To create an OIDC identity provider (console)

  1. Before you create an OIDC identity provider in IAM, you must register your application with the IdP to receive a client ID. The client ID (also known as audience) is a unique identifier for your app that is issued to you when you register your app with the IdP. For more information about obtaining a client ID, see the documentation for your IdP.

  2. Open the IAM console at https://console.aws.amazon.com/iam/.

  3. In the navigation pane, click Identity Providers, and then click Create Provider.

  4. For Provider Type, click Choose a provider type, and then choose OpenID Connect.

  5. For Provider URL, type the URL of the IdP. The URL must comply with these restrictions:

    • The URL is case-sensitive.

    • The URL must begin with https://.

    • The URL cannot include a colon (:) character, and therefore cannot specify a port number. This means that the server must be listening on the default port 443.

    • Within your AWS account, each OIDC identity provider must use a unique URL.

  6. For Audience, type the client ID of the application that you registered with the IdP and received in Step 1, and that will make requests to AWS. If you have additional client IDs (also known as audiences) for this IdP, you can add them later on the provider detail page. Click Next Step.

  7. Use the Thumbprint to verify the server certificate of your IdP. To learn how, see Obtaining the Thumbprint for an OpenID Connect Identity Provider. Click Create.

  8. In the confirmation message at the top of the screen, click Do this now to go to the Roles tab to create a role for this identity provider. For more information about creating a role for an OIDC identity provider, see Creating a Role for a Third-Party Identity Provider (Federation). OIDC identity providers must have a role in order to access your AWS account. To skip this step and create the role later, click Close.

To add or remove a thumbprint or client ID (also known as audience) for an OIDC identity provider (console)

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, click Identity Providers, then click the name of the identity provider that you want to update.

  3. To add a thumbprint or audience, click Add a Thumbprint or Add an Audience. To remove a thumbprint or audience, click Remove next to the item that you want to remove.

    Note

    An OIDC identity provider must have at least 1 and can have a maximum of five thumbprints. An OIDC identity provider must have at least 1 and can have a maximum of 100 audiences.

    When you are done, click Save Changes.

To delete an OIDC identity provider (console)

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, click Identity Providers.

  3. Select the check box next to the identity provider that you want to delete.

  4. Click Delete Providers.

Creating and Managing an OIDC Identity Provider (AWS CLI)

You can use the following AWS CLI commands to create and manage OIDC providers.

To create an OIDC identity provider (AWS CLI)

  1. (Optional) To get a list of all the OIDC providers in your AWS account, run the following command:

  2. To create a new OIDC provider, run the following command:

To update the list of server certificate thumbprints for an existing OIDC provider (AWS CLI)

To add or remove a client ID from an existing OIDC provider (AWS CLI)

  1. (Optional) To get a list of all the OIDC providers in your AWS account, run the following command:

  2. (Optional) To get detailed information about an OIDC provider, run the following command:

  3. To add a new client ID to an existing OIDC provider, run the following command:

  4. To remove a client from an existing OIDC provider, run the following command:

To delete an OIDC identity provider (AWS CLI)

  1. (Optional) To get a list of all the OIDC providers in your AWS account, run the following command:

  2. (Optional) To get detailed information about an OIDC provider, run the following command:

  3. To delete an OIDC provider, run the following command:

Creating and Managing an OIDC Identity Provider (AWS API)

You can use the following IAM API commands to create and manage OIDC providers.

To create an OIDC identity provider (AWS API)

  1. (Optional) To get a list of all the OIDC providers in your AWS account, call the following operation:

  2. To create a new OIDC provider, call the following operation:

To update the list of server certificate thumbprints for an existing OIDC provider (AWS API)

To add or remove a client ID from an existing OIDC provider (AWS API)

  1. (Optional) To get a list of all the OIDC providers in your AWS account, call the following operation:

  2. (Optional) To get detailed information about an OIDC provider, call the following operation:

  3. To add a new client ID to an existing OIDC provider, call the following operation:

  4. To remove a client ID from an existing OIDC provider, call the following operation:

To delete an OIDC identity provider (AWS API)

  1. (Optional) To get a list of all the OIDC providers in your AWS account, call the following operation:

  2. (Optional) To get detailed information about an OIDC provider, call the following operation:

  3. To delete an OIDC provider, call the following operation: