User-identity trust providers for Verified Access
You can choose to use either AWS IAM Identity Center or an OpenID Connect-compatible user-identity trust provider.
Using IAM Identity Center as a trust provider
You can use AWS IAM Identity Center as your user-identity trust provider with AWS Verified Access.
Prerequisites and considerations
-
Your IAM Identity Center instance must be an AWS Organizations instance. A standalone AWS account IAM Identity Center instance will not work.
-
Your IAM Identity Center instance must be enabled in the same AWS Region that you want to create the Verified Access trust provider in.
-
Verified Access can provide access to users in IAM Identity Center who are assigned to up to 1,000 groups.
See Manage organization and account instances of IAM Identity Center in the AWS IAM Identity Center User Guide for details on the different instance types.
Create an IAM Identity Center trust provider
After IAM Identity Center is enabled on your AWS account, you can use the following procedure to set up IAM Identity Center as your trust provider for Verified Access.
To create an IAM Identity Center trust provider (AWS console)
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Verified Access trust providers, and then Create Verified Access trust provider.
-
(Optional) For Name tag and Description, enter a name and description for the trust provider.
-
For Policy reference name, enter an identifier to use later when working with policy rules.
-
Under Trust provider type, select User trust provider.
-
Under User trust provider type, select IAM Identity Center.
-
(Optional) To add a tag, choose Add new tag and enter the tag key and the tag value.
-
Choose Create Verified Access trust provider.
To create an IAM Identity Center trust provider (AWS CLI)
-
create-verified-access-trust-provider
(AWS CLI)
Delete an IAM Identity Center trust provider
Before you can delete a trust provider, you must remove all endpoint and group configuration from the instance to which the trust provider is attached.
To delete an IAM Identity Center trust provider (AWS console)
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Verified Access trust providers, and then select the trust provider you want to delete under Verified Access trust providers.
-
Choose Actions, then Delete Verified Access trust provider.
-
Confirm the deletion by entering
delete
into the text box. -
Choose Delete.
To delete an IAM Identity Center trust provider (AWS CLI)
-
delete-verified-access-trust-provider
(AWS CLI)
Use an OpenID Connect trust provider
AWS Verified Access supports identity providers that use standard OpenID Connect (OIDC) methods. You can use OIDC compatible providers as user-identity trust providers with Verified Access. However, due to the wide array of potential OIDC providers, AWS is not able to test each OIDC integration with Verified Access.
Verified Access obtains the trust data that it evaluates from the OIDC provider's UserInfo
Endpoint
. The Scope
parameter is used to determine which sets of trust
data will be retrieved. After the trust data is received, the Verified Access policy is evaluated
against it.
Note
Verified Access does not use trust data from the ID token
sent by the OIDC provider, when
evaluating the Verified Access policy. Only trust data from the UserInfo Endpoint
is
evaluated against the policy.
Contents
Prerequisites for creating an OIDC trust provider
You will need to gather the following information from your trust provider service directly:
-
Issuer
-
Authorization endpoint
-
Token endpoint
-
UserInfo endpoint
-
Client ID
-
Client secret
-
Scope
Create an OIDC trust provider
Use the following procedure to create an OIDC as your trust provider.
To create an OIDC trust provider (AWS console)
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Verified Access trust providers, and then Create Verified Access trust provider.
-
(Optional) For Name tag and Description, enter a name and description for the trust provider.
-
For Policy reference name, enter an identifier to use later when working with policy rules.
-
Under Trust provider type, select User trust provider.
-
Under User trust provider type, select OIDC (OpenID Connect).
-
For Issuer, enter the identifier of the OIDC issuer.
-
For Authorization endpoint, enter the full URL of the authorization endpoint.
-
For Token endpoint, enter the full URL of the token endpoint.
-
For User endpoint, enter the full URL of the user endpoint.
-
Enter the OAuth 2.0 client identifier for Client ID.
-
Enter the OAuth 2.0 client secret for Client secret.
-
Enter a space-delimited list of scopes defined with your identity provider. At minimum, the "openid" scope is required for Scope.
-
(Optional) To add a tag, choose Add new tag and enter the tag key and the tag value.
-
Choose Create Verified Access trust provider.
Note
You will need to add a redirect URI to your OIDC provider's allowlist. You will want
to use the ApplicationDomain
of the Verified Access endpoint for this purpose. This
can be found in the AWS Management Console, under the Details tab for your Verified Access
endpoint or by using the AWS CLI to describe the endpoint. Add the following to your OIDC
provider's allowlist: https://ApplicationDomain
/oauth2/idpresponse
To create an OIDC trust provider (AWS CLI)
-
create-verified-access-trust-provider
(AWS CLI)
Modify an OIDC trust provider
After you create a trust provider, you can update its configuration.
To modify an OIDC trust provider (AWS console)
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Verified Access trust providers, and then select the trust provider you want to modify under Verified Access trust providers.
-
Choose Actions, then Modify Verified Access trust provider.
-
Modify the options you want to change.
-
Choose Modify Verified Access trust provider.
To modify an OIDC trust provider (AWS CLI)
-
modify-verified-access-trust-provider
(AWS CLI)
Delete an OIDC trust provider
Before you can delete a user trust provider, you first need to remove all endpoint and group configuration from the instance the trust provider is attached to.
To delete an OIDC trust provider (AWS console)
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Verified Access trust providers, and then select the trust provider you want to delete under Verified Access trust providers.
-
Choose Actions, then Delete Verified Access trust provider.
-
Confirm the deletion by entering
delete
into the text box. -
Choose Delete.
To delete an OIDC trust provider (AWS CLI)
-
delete-verified-access-trust-provider
(AWS CLI)