Configuring federation to the AMS console - AMS Advanced Onboarding Guide

Configuring federation to the AMS console

The IAM roles and SAML identity provider (Trusted Entity) detailed in the following table have been provisioned as part of your account onboarding. These roles allow you to submit and monitor RFCs, service requests, and incident reports, as well as get information on your VPCs and stacks.

Role Identity Provider Permissions



For standard AMS accounts. Allows you to submit RFCs to make changes to AMS-managed infrastructure, as well as create service requests and incidents.



For AMS Managed Active Directory accounts. Allows you to login to the AMS Console to create service requests and incidents (no RFCs).

For the full list of the roles available under different accounts see IAM User Role.

A member of the onboarding team uploads the metadata file from your federation solution to the pre-configured identity provider. You use a SAML identity provider when you want to establish trust between a SAML-compatible IdP (identity provider) such as Shibboleth or Active Directory Federation Services, so that users in your organization can access AWS resources. SAML identity providers in IAM are used as principals in an IAM trust policy with the above roles.

While other federation solutions provide integration instructions for AWS, AMS has separate instructions. Using the following blog post, Enabling Federation to AWS Using Windows Active Directory, AD FS, and SAML 2.0, along with the amendments given below, will enable your corporate users to access multiple AWS accounts from a single browser.

After creating the relying party trust as per the blog post, configure the claims rules in the following way:

  • NameId: Follow the blog post.

  • RoleSessionName: Use the following values:

    • Claim rule name: RoleSessionName

    • Attribute store: Active Directory

    • LDAP Attribute: SAM-Account-Name

    • Outgoing Claim Type:

  • Get AD Groups: Follow the blog post.

  • Role claim: Follow the blog post, but for the Custom rule, use this:

    c:[Type == "http://temp/variable", Value =~ "(?i)^AWS-([^d]{12})-"] => issue(Type = "", Value = RegExReplace(c.Value, "AWS-([^d]{12})-", "arn:aws:iam::$1:saml-provider/customer-readonly-saml,arn:aws:iam::$1:role/"));

When using AD FS, you must create Active Directory security groups for each role in the format shown in the following table (customer_managed_ad_user_role is for AMS Managed AD accounts only):

Group Role





For further information, see Configuring SAML Assertions for the Authentication Response.


To help with troubleshooting, download the SAML tracer plugin for your browser.