Menu
AWS Identity and Access Management
User Guide

Obtaining the Thumbprint for an OpenID Connect Identity Provider

When you create an OpenID Connect (OIDC) identity provider in IAM, you must supply a thumbprint for the identity provider (IdP). The thumbprint is a signature for the unique server certificate that is used by the OIDC-compatible IdP. When you create an OIDC identity provider in IAM, you are trusting identities authenticated by that IdP with access to your AWS account. By supplying the OIDC IdP's thumbprint, you assert to AWS that you wish to trust a particular OIDC IdP with this access.

When you create an OIDC identity provider with the AWS Command Line Interface, the Tools for Windows PowerShell, or the IAM API, you must obtain the thumbprint manually and supply it to AWS. When you create an OIDC identity provider with the IAM console, the console attempts to fetch the thumbprint for you. We recommend that you also obtain the thumbprint for your OIDC IdP manually and verify that the thumbprint obtained by the IAM console matches the one you expect for your OIDC provider.

You use a web browser and the OpenSSL command line tool to obtain the thumbprint for an OIDC provider. For more information, see the following sections.

To obtain the thumbprint for an OIDC IdP

  1. Before you can obtain the thumbprint for an OIDC IdP, you need to obtain the OpenSSL command-line tool. You use this tool to download the OIDC IdP's certificate chain and produce a thumbprint of the final certificate in the certificate chain. If you need to install and configure OpenSSL, follow the instructions at Install OpenSSL and Configure OpenSSL.

  2. Start with the OIDC IdP's URL (for example, https://server.example.com), and then add /.well-known/openid-configuration to form the URL for the IdP's configuration document, like the following:

    https://server.example.com/.well-known/openid-configuration

    Open this URL in a web browser, replacing server.example.com with your IdP's server name.

  3. In the document displayed in your web browser, find "jwks_uri". (Use your web browser's Find feature to locate this text on the page.) Immediately following the text "jwks_uri" you will see a colon (:) followed by a URL. Copy the fully qualified domain name of the URL. Do not include the https:// or any path that comes after the top-level domain.

  4. Use the OpenSSL command line tool to execute the following command. Replace keys.example.com with the domain name you obtained in Step 3.

    Copy
    openssl s_client -showcerts -connect keys.example.com:443
  5. In your command window, scroll up until you see a certificate similar to the following example. If you see more than one certificate, find the last certificate that is displayed (at the bottom of the command output).

    -----BEGIN CERTIFICATE-----
    MIICiTCCAfICCQD6m7oRw0uXOjANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC
    VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6
    b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAd
    BgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5jb20wHhcNMTEwNDI1MjA0NTIxWhcN
    MTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD
    VQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAsTC0lBTSBDb25z
    b2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQEWEG5vb25lQGFt
    YXpvbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMaK0dn+a4GmWIWJ
    21uUSfwfEvySWtC2XADZ4nB+BLYgVIk60CpiwsZ3G93vUEIO3IyNoH/f0wYK8m9T
    rDHudUZg3qX4waLG5M43q7Wgc/MbQITxOUSQv7c7ugFFDzQGBzZswY6786m86gpE
    Ibb3OhjZnzcvQAaRHhdlQWIMm2nrAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCu4
    nUhVVxYUntneD9+h8Mg9q6q+auNKyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0Fkb
    FFBjvSfpJIlJ00zbhNYS5f6GuoEDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjSTb
    NYiytVbZPQUQ5Yaxu2jXnimvw3rrszlaEXAMPLE=
    -----END CERTIFICATE-----

    Copy the certificate (including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines) and paste it into a text file. Then save the file with the file name certificate.crt.

  6. Use the OpenSSL command-line tool to execute the following command.

    Copy
    openssl x509 -in certificate.crt -fingerprint -noout

    Your command window displays the certificate thumbprint, which looks similar to the following example:

    SHA1 Fingerprint=99:0F:41:93:97:2F:2B:EC:F1:2D:DE:DA:52:37:F9:C9:52:F2:0D:9E

    Remove the colon characters (:) from this string to produce the final thumbprint, like this:

    990F4193972F2BECF12DDEDA5237F9C952F20D9E
  7. If you are creating the IAM identity provider with the AWS CLI, Tools for Windows PowerShell, or the IAM API, supply this thumbprint when creating the provider.

    If you are creating the OIDC provider in the IAM console, compare this thumbprint to the thumbprint that you see in the console on the Verify Provider Information page when creating an OIDC provider.

    Important

    If the thumbprint you obtained does not match the one you see in the console, you should not create the OIDC provider in IAM. Instead, you should wait a while and then try again to create the OIDC provider, ensuring that the thumbprints match before you create the provider. If the thumbprints still do not match after a second attempt, use the IAM Forum to contact AWS.

Install OpenSSL

If you don't already have OpenSSL installed, follow the instructions in this section.

To install OpenSSL on Linux or Unix

  1. Go to OpenSSL: Source, Tarballs (https://openssl.org/source/).

  2. Download the latest source and build the package.

To install OpenSSL on Windows

  1. Go to OpenSSL: Binary Distributions (https://wiki.openssl.org/index.php/Binaries) for a list of sites from which you can install the Windows version.

  2. Follow the instructions on your selected site to start the installation.

  3. If you are asked to install the Microsoft Visual C++ 2008 Redistributables and it is not already installed on your system, click the download link appropriate for your environment. Follow the instructions provided by the Microsoft Visual C++ 2008 Redistributable Setup Wizard.

    Note

    If you are not sure whether the Microsoft Visual C++ 2008 Redistributables is already installed on your system, you can try installing OpenSSL first. The OpenSSL installer displays an alert if the Microsoft Visual C++ 2008 Redistributables is not yet installed. Make sure you install the architecture (32-bit or 64-bit) that matches the version of OpenSSL that you install.

  4. After you have installed the Microsoft Visual C++ 2008 Redistributables, select the appropriate version of the OpenSSL binaries for your environment and save the file locally. Start the OpenSSL Setup Wizard.

  5. Follow the instructions described in the OpenSSL Setup Wizard.

Configure OpenSSL

Before you use OpenSSL commands, you must configure the operating system so that it has information about the location where OpenSSL is installed.

To configure OpenSSL on Linux or Unix

  1. At the command line, set the OpenSSL_HOME variable to the location of the OpenSSL installation:

    Copy
    $ export OpenSSL_HOME=path_to_your_OpenSSL_installation
  2. Set the path to include the OpenSSL installation:

    Copy
    $ export PATH=$PATH:$OpenSSL_HOME/bin

    Note

    Any changes you make to environment variables with the export command are valid only for the current session. You can make persistent changes to the environment variables by setting them in your shell configuration file. For more information, see the documentation for your operating system.

To configure OpenSSL on Windows

  1. Open a Command Prompt window.

  2. Set the OpenSSL_HOME variable to the location of the OpenSSL installation:

    Copy
    C:\> set OpenSSL_HOME=path_to_your_OpenSSL_installation
  3. Set the OpenSSL_CONF variable to the location of the configuration file in your OpenSSL installation:

    Copy
    C:\> set OpenSSL_CONF=path_to_your_OpenSSL_installation\bin\openssl.cfg
  4. Set the path to include the OpenSSL installation:

    Copy
    C:\> set Path=%Path%;%OpenSSL_HOME%\bin

    Note

    Any changes you make to Windows environment variables in a Command Prompt window are valid only for the current command line session. You can make persistent changes to the environment variables by setting them as system properties. The exact procedures depends on what version of Windows you're using. (For example, in Windows 7, open Control Panel, System and Security, System. Then choose Advanced system settings, Advanced tab, Environment Variables.) For more information, see the Windows documentation.