- Newest
- Most votes
- Most comments
It is not currently possible to do this in one AWS Organization. Each AWS Organization can have one and only one AWS IAM Identity Center, and IAM Identity Center only supports one Identity Provider at a time.
What you could try is to add azure ad 2 users into azure as 1 directory as guests and then configure identity centre to use azure ad 1.
Currently it's only possible to integrate a single identity provider with AWS IAM Identity Center. You could however create a shared Entra ID tenant and connect that to AWS, as described here: https://aws.amazon.com/blogs/modernizing-with-aws/integrate-multiple-microsoft-entra-id-tenants-with-aws-iam-identity-center/
If you have multiple accounts in an AWS Organization this would provide a more simple identity provider integration across all of your accounts.
For a single account, there's no issue or concern with the approach you linked that uses IAM.
AWS IAM Identity Center can be integrated with only one external Idp at a time and only one "Organization instances of IAM Identity Center" can be deployed in an AWS Organization but multiple "Account instances of IAM Identity Center" can be deployed in member accounts of that same organization. Account instances support isolated deployments of applications in a single AWS member account. You need to evaluate if that servers your requirements: Organization instances of IAM Identity Center - https://docs.aws.amazon.com/singlesignon/latest/userguide/organization-instances-identity-center.html Account instances of IAM Identity Center - https://docs.aws.amazon.com/singlesignon/latest/userguide/account-instances-identity-center.html
Relevant content
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 6 months ago
Yes i understand that but for this use case we would like to have 2 seperate Azure ADs because it's two different Companies that should have access to this one account, each company has already their Users in their AD we cannot see their Organizational Structure they should Manage the Application Access on their own, if that makes sense.
Yes i understand that but for this use case we would like to have 2 seperate Azure ADs because it's two different Companies that should have access to this one account, each company has already their Users in their AD we cannot see their Organizational Structure they should Manage the Application Access on their own, if that makes sense.
Hey Andre, yeah that makes sense.. I dont believe its possible at this time. You may be able to create a hosted Active Directory service in AWS, trust both Azure Domains and use this as the identity provider. Ive never tried it but it may work
Hey Gary, that would create a new expense since I would need to host that service right?
How I did it right now was that I have the 2 ADs created on IAM Identity Providers and then just allowed those identity providers to be inside the trust relationships for the needed rows. On the Azure part I have each enterprise application with their own metadata file configured and applied then a new group to match 1 role on AWS... I don't know if I explained it well enough right now, I can go into more detail if you want