Group Management User Management Attribute mapping examples

Configuring an external identity provider (Optional)

Group Management

Innovation Sandbox on AWS uses three different user groups that align with the different personas. These groups must be created following your normal process within the external provider. The group names must be exactly the same as they are specified in the IDC CloudFormation Stack parameters.

Personas and corresponding groups:

Persona	Default Group Name	Responsibility
Admin	<namespace>_IsbAdminsGroup	The Admin persona is responsible for deploying and managing the solution and managing the AWS accounts used in the solution.
Manager	<namespace>_IsbManagersGroup	The Manager persona is responsible for the creation and management of the Lease Templates (Sandbox thresholds and actions) and the Leases (active Sandbox accounts).
User	<namespace>_IsbUsersGroup	The User persona is responsible for requesting and using Leases (Sandbox Accounts)

User Management

Users will be managed according to your normal process within your provider by adding the appropriate users into the one of the 3 ISB user groups.

Requirements:

Email: Ensure that the primary email field in the provider is populated with the correct email address.
- Microsoft Entra: mail
- Okta: email
The primary email field must be configured within your provider to be passed to IAM Identity Center.

You can confirm that a user’s email attribute has been successfully mapped and passed to the correct field in IAM Identity Center by running the following command in the IDC Account (Management or delegated account):


aws identitystore list-users --identity-store-id $(aws sso-admin list-instances --query "Instances[0].IdentityStoreId" --output text)

You can confirm that the correct email address is populated in the Emails array as shown below. The Email value should be correct and Primary should be set to true.


"Emails": [
    {
       "Value": "example@amazon.com",
       "Type": "work",
       "Primary": true
    }
]

Attribute mapping examples

The attribute mappings within your provider must be configured to map the user’s primary email field (from provider) to emails[type eq "work"] (to IAM Identity Center).

External identity provider	Provider attribute	IAM Identity Center attribute
Microsoft Entra	mail	emails[type eq "work"]
Okta	email	emails[type eq "work"]

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Choosing the deployment accounts

Control Tower managed organizations