Considerations for changing your identity source - AWS IAM Identity Center

Considerations for changing your identity source

Although you can change your identity source at any time, we recommend that you consider how this change might affect your current deployment.

If you're already managing users and groups in one identity source, changing to a different identity source might remove all user and group assignments that you configured in IAM Identity Center. If this occurs, all users, including the administrative user in IAM Identity Center, will lose single sign-on access to their AWS accounts and applications.

Before you change the identity source for IAM Identity Center, review the following considerations before you proceed. If you want to proceed with changing your identity source, see Change your identity source for more information.

Changing between IAM Identity Center and Active Directory

If you're already managing users and groups in Active Directory, we recommend that you consider connecting your directory when you enable IAM Identity Center and choose your identity source. Do this before you create any users and groups in the default Identity Center directory and make any assignments.

If you're already managing users and groups in the default Identity Center directory, consider the following:

  • Assignments removed and users and groups deleted – Changing your identity source to Active Directory deletes your users and groups from the Identity Center directory. This change also removes your assignments. In this case, after you change to Active Directory, you must synchronize your users and groups from Active Directory into the Identity Center directory, and then reapply their assignments.

    If you choose to not use Active Directory, you must create your users and groups in the Identity Center directory, and then make assignments.

  • Assignments aren't deleted when identities are deleted – When identities are deleted in the Identity Center directory, corresponding assignments also get deleted in IAM Identity Center. However in Active Directory, when identities are deleted (either in Active Directory or the synced identities), corresponding assignments are not deleted.

  • No outbound synchronization for APIs – If you use Active Directory as your identity source, we recommend that you use the Create, Update, and Delete APIs with caution. IAM Identity Center doesn't support outbound synchronization, so your identity source doesn't automatically update with the changes that you make to users or groups using these APIs.

  • Access portal URL will change – Changing your identity source between IAM Identity Center and Active Directory also changes the URL for the AWS access portal.

For information about how IAM Identity Center provisions users and groups, see Connect to a Microsoft AD directory.

Changing from IAM Identity Center to an external IdP

If you change your identity source from IAM Identity Center to an external identity provider (IdP), consider the following:

  • User names and groups must match – your existing assignments will work only if the user names and groups in the external IdP match those in IAM Identity Center. User names and groups that don't match are unusable.

    If there are user names in the Identity Center directory that also exist in the new external IdP directory, we recommend validating those users and permissions.

  • No outbound synchronization for APIs – IAM Identity Center doesn't support outbound synchronization, so your external IdP won't automatically update with changes to users and groups that you make in IAM Identity Center. Therefore, we don't recommend that you use APIs in this situation.

For information about how IAM Identity Center provisions users and groups, see Connect to an external identity provider.

Changing from an external IdP to IAM Identity Center

If you change your identity source from an external identity provider (IdP) to IAM Identity Center, consider the following:

  • IAM Identity Center preserves all your assignments.

  • Force password reset – Users who had passwords in IAM Identity Center can continue signing in with their old passwords. For users who were in the external IdP and weren't in IAM Identity Center, an administrator must force a password reset.

For information about how IAM Identity Center provisions users and groups, see Manage identities in IAM Identity Center.

Changing from one external IdP to another external IdP

If you're already using an external IdP as your identity source for IAM Identity Center and you change to a different external IdP, consider the following:

  • Assignments and memberships work with correct assertions – IAM Identity Center preserves all of your assignments. The user assignments, group assignments, and group memberships will continue to work as long as the new IdP sends the correct assertions (for example, SAML nameIDs).

    These assertions must match the user names in IAM Identity Center when your users authenticate through the new external IdP.

  • SCIM provisioning – If you are using SCIM for provisioning into IAM Identity Center, we recommend that you review the IdP-specific information in this guide and the documentation provided by the IdP to ensure that the new provider will match users and groups correctly when SCIM is enabled.

For information about how IAM Identity Center provisions users and groups, see Connect to an external identity provider.

Changing between Active Directory and an external IdP

If you change your identity source from an external IdP to Active Directory, or from Active Directory to an external IdP, consider the following:

  • Users, groups, and assignments are deleted – All users, groups, and assignments are deleted from IAM Identity Center. No user or group information is affected in either the external IdP or Active Directory.

  • Provisioning users – If you change to an external IdP, you must configure IAM Identity Center to provision your users. Alternatively, you must manually provision the users and groups for the external IdP before you can configure assignments.

  • Create assignments and groups – If you change to Active Directory, you must create assignments with the users and groups that are in your directory in Active Directory.

For information about how IAM Identity Center provisions users and groups, see Connect to a Microsoft AD directory.