Manage an external identity provider - AWS IAM Identity Center

Manage an external identity provider

If you're using a self-managed directory in Active Directory or an AWS Managed Microsoft AD, see Connect to a Microsoft AD directory. For other external identity providers (IdPs), you can use AWS IAM Identity Center to authenticate identities from the IdPs through the Security Assertion Markup Language (SAML) 2.0 standard. This enables your users to sign in to the AWS access portal with their corporate credentials. They can then navigate to their assigned accounts, roles, and applications hosted in external IdPs.

For example, you can connect an external IdP such as Okta or Microsoft Entra ID, to IAM Identity Center. Your users can then sign in to the AWS access portal with their existing Okta or Microsoft Entra ID credentials. To control what your users can do once they've signed in, you can assign them access permissions centrally across all the accounts and applications in your AWS organization. In addition, developers can simply sign in to the AWS Command Line Interface (AWS CLI) using their existing credentials, and benefit from automatic short-term credential generation and rotation.

The SAML protocol does not provide a way to query the IdP to learn about users and groups. Therefore, you must make IAM Identity Center aware of those users and groups by provisioning them into IAM Identity Center.

Provisioning when users come from an external IdP

When using an external IdP, you must provision all applicable users and groups into IAM Identity Center before you can make any assignments to AWS accounts or applications. To do this, you can configure Automatic provisioning for your users and groups, or use Manual provisioning. Regardless of how you provision users, IAM Identity Center redirects the AWS Management Console, command line interface, and application authentication to your external IdP. IAM Identity Center then grants access to those resources based on policies you create in IAM Identity Center. For more information about provisioning, see User and group provisioning.

How to connect to an external identity provider

There are step-by-step tutorials available for the supported IdPs:

There are different prerequisites, considerations, and provisioning procedures for the different supported external IdPs. The following procedure provides a general overview of the procedure that's used with all external identity providers.

To connect to an external identity provider
  1. Open the IAM Identity Center console.

  2. Choose Settings.

  3. On the Settings page, choose the Identity source tab, and then choose Actions > Change identity source.

  4. Under Choose identity source, select External identity provider, and then choose Next.

  5. Under Configure external identity provider, do the following:

    1. Under Service provider metadata, choose Download metadata file to download the metadata file and save it on your system. The IAM Identity Center SAML metadata file is required by your external identity provider.

    2. Under Identity provider metadata, choose Choose file, and locate the metadata file that you downloaded from your external identity provider. Then upload the file. This metadata file contains the necessary public x509 certificate used to trust messages that are sent from the IdP.

    3. Choose Next.


    Changing your source to or from Active Directory removes all existing user and group assignments. You must manually reapply assignments after you have successfully changed your source.

  6. After you read the disclaimer and are ready to proceed, enter ACCEPT.

  7. Choose Change identity source. A status message informs you that you successfully changed the identity source.

How to change an external identity provider's metadata in IAM Identity Center

You can change your external identity provider's metadata which you previously supplied to the IAM Identity Center. These changes will affect your users' ability to sign in and access AWS resources through IAM Identity Center. The following procedure walks you through how you can update your external IdP's metadata that is stored in IAM Identity Center.

To change an external identity provider's metadata
  1. Open the IAM Identity Center console.

  2. Choose Settings.

  3. On the Settings page, choose the Identity source tab. Choose Actions and then choose Manage Authentication.

  4. In the Identity provider metadata section, choose Edit IdP metadata. You can make the changes to the IdP sign-in URL and or IdP issuer URL for your external IdP on this page. Choose Save changes when you've made all the necessary changes.