By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Password reset using AWS SSO with external identity provider (AD)

0

Hello everyone,

My Organization uses AWS SSO with on-premise Active Directory as an external Identity Source. In detail, there is an AWS Managed AD in TWO-WAY-TRUST with the on-premise AD. All users reside in the on-premises AD, the one on the AWS side is just a bridge. The on-premise AD for security reasons imposes the password reset of the users every 3 months, consequently the users are cut off from AWS repeatedly. This happens because the AWS SSO console does not allow password reset with external identity sources and returns a generic error. Has anyone managed to find a solution/workaround for resetting the password via SSO and external identity source? I've been looking for a solution to this problem for some time to no avail.

Thank you

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Directory ServiceAWS Management ConsoleAWS IAM Identity Center
Language
English
Slayer
asked a year ago736 views
1 Answer
0

I am not exactly sure how the AWS IAM Identity Center (previously called AWS SSO) is configured to connect with your on-premise AD. No password information is synchronized to IAM Identity Center; only the users, group and membership information is synchronized to IAM Identity Center.

===Extracted the IAM Identity Center documentation ===

IAM Identity Center uses the connection provided by the AWS Directory Service to synchronize user, group, and membership information from your source directory in Active Directory to the IAM Identity Center identity store. No password information is synchronized to IAM Identity Center, since user authentication takes place directly from the source directory in Active Directory.

AWS
ronald_l
answered a year ago
  • Slayer
    a year ago

    That's right Ronald and thanks for the feedback. The point is exactly that, implement a password reset mechanism that interacts with Active Directory (if possible). Currently, every 3 months a user must contact the supplier who manages the AD to request a password change.

  • ronald_l
    a year ago

    You can search for Self-Service Password Reset for Active Directory. There are a number of software/tool available.

  • Maik
    a year ago

    Thanks for the feedback Roanld. I am aware of these software, the idea was not to use third-party software but to make it possible for users to carry out the procedure via the SSO page. Apparently I do not believe there alternative.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content