SourceIdentity with Identity Provider



I am trying to follow this article to configure SourceIdentity with my Identity Provider (Azure Active Directory) integrated with AWS SSO (Identity Centre).

Though this article doesn't talk about Azure AD, within Azure AD under Enterprise Applications -> My AWS Application -> Single Sign on -> Attributes & Claim -> I have added a new claim with below details

Name: SourceIdentity Namespace: Source: Attribute Source Attribute: user.displayName

If I then attempt to login with an IDP user to AWS SSO link and trace it with SAML trace on Google Chrome, in SAML response i can see attribute has been added

        <Attribute Name="">

However, I cannot find the field SourceIdentity in any event user is taking such as creating bucket or any other action for that sort.

I have tried to search around but cannot get this working. Any help will be appreciated.


Thank you for your reply. I have already seen both of these articles, is there anything specific do you think I should follow to get SourceIdentity working?

Integration from Azure to AWS is working and automatic user provisioning is working too. Only thing that I cannot find clear instruction is how to get SourceIdentity working. I am unable to see this field in any CloudTrail events.

回答済み 1年前
  • Right ok. Reading about it, it “may” only with if using IDP via iam. You’re using identity centre. I’m going to update my answer as there is an extra step but not sure if you should change the Idp settings in your account that’s used by identity centre.

  • Also why do you need to do this. The users name is usually in cloudtrail when actions are performed after using sso


Try following the identity instructions for azure ad here.

Microsoft instructions.

This should get you up and going. Ping any questions over.


This may only work for Idp with iam and not aws sso identity centre. There is an extra step but I’m not sure you should modify the Idp that identity centre setups.

Why would you want to do this anyway as the users name is already in cloudtrail logs.

For the workforce identity or application to be able to define their source identity when they assume IAM roles, you must first grant them permission for the sts:SetSourceIdentity action, as illustrated in the sample policy document below. This will permit the workforce identity or application to set the SourceIdentity themselves without any need for manual intervention.

To modify an AWS IAM role trust policy

Log in to the AWS Management Console for your account as a user with privileges to configure an IdP, typically an administrator. Navigate to the AWS IAM service. For trusted identity, choose SAML 2.0 federation. From the SAML Provider drop down menu, select the IAM provider you created previously. Modify the role trust policy and add the SetSourceIdentity action. Sample policy document

This is a sample policy document attached to a role you assume when you log in to Account1 from the Okta dashboard. Edit your Account1/Role1 trust policy document and add sts:AssumeRoleWithSAML and sts:setSourceIdentity to the Action section.

profile picture
回答済み 1年前

I need to revoke sessions when IAM role chain happens. IAM roles created by SSO are read only and cannot be modified so I am unable to add following permission to them sts:setSourceIdentity as defined in That means the propagation of attribute to next role will not happen.

Also, I cannot see within CloudTrail logs anywhere the SourceIdentity parameter, where as the article suggests it will be present in every action performed such as create bucket etc.

I am trying to understand if the article doesn't apply to SSO (Identity Center) integration with IdP?

回答済み 1年前

ログインしていません。 ログイン 回答を投稿する。