Open ID Connect Provider - create the identity provider in a specific region

Hello,

AWS offers a wide range of services that are either global, regional, or specific to the Availability Zone and cannot be accessible from elsewhere. The majority of AWS managed services are regional in nature (except for IAM, Route53, CloudFront, WAF etc).

For example, using IAM, you create your users in a single location rather than in different regions. In the same manner, IdP's (SAML/OIDC) in IAM are global resources, and hence there is currently no request parameter for the API call - CreateOpenIDConnectProvider [1] to specify any restriction for region.

Specifically, in regards to Federating users with public identity service providers or OpenID Connect [2], the recommendation is to use Amazon Cognito [3] for mobile and web-based application scenarios as it does most of the behind-the-scenes work with public identity provider services for you. It works with the same third-party services and also supports anonymous sign-ins.

Also, please note that Cognito is a regional service, and hence the SAML/OIDC provider configuration settings [4][5] have to be made in the specific region where the Cognito resource exists.

I hope the shared information is insightful to your query. In case if you have any questions or concerns then please feel free to reach out.

References:

[1] https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html

[2] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html

[3] https://aws.amazon.com/cognito/

[4] https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-oidc-idp.html

[5] https://docs.aws.amazon.com/cognito/latest/developerguide/open-id.html