Using SAML and SCIM identity federation with external identity providers - AWS IAM Identity Center

Using SAML and SCIM identity federation with external identity providers

IAM Identity Center implements the following standards-based protocols for identity federation:

  • SAML 2.0 for user authentication

  • SCIM for provisioning

Any identity provider (IdP) that implements these standard protocols is expected to interoperate successfully with IAM Identity Center, with the following special considerations:

  • SAML

    • IAM Identity Center requires a SAML nameID format of email address (that is, urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress).

    • The value of the nameID field in assertions must be an RFC 2822 (https://tools.ietf.org/html/rfc2822) addr-spec compliant (“name@domain.com”) string (https://tools.ietf.org/html/rfc2822#section-3.4.1).

    • The metadata file cannot be over 75000 characters.

    • The metadata must contain an entityId, X509 certificate, and SingleSignOnService as part of the sign-in URL.

    • An encryption key is not supported.

IdPs that do not conform to the standards and considerations mentioned above are not supported. Please contact your IdP for questions or clarifications regarding the conformance of their products to these standards and considerations.

If you have any issues connecting your IdP to IAM Identity Center, we recommend that you check:

Note

Some IdPs, such as the ones in the Getting started tutorials, offer a simplified configuration experience for IAM Identity Center in the form of an “application” or “connector” built specifically for IAM Identity Center. If your IdP provides this option, we recommend that you use it, being careful to choose the item that’s built specifically for IAM Identity Center. Other items called “AWS”, “AWS federation”, or similar generic "AWS" names may use other federation approaches and/or endpoints, and may not work as expected with IAM Identity Center.