By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Identity Provider over Identity Center?

0

Hello, I am fairly new to AWS and have been given a small task of being able to have 2 Azure AD to be able to connect to one AWS Account, I have only found 1 way of doing it so far and that is using the Identity Provider in IAM and configuring 2 Identity Providers to access the same Account.

I have followed the following Topic: https://aws.amazon.com/blogs/apn/securing-aws-accounts-with-azure-active-directory-federation/, however there seems to be some Information missing/difficult to understand the purpose of some configuration done.

My question is if there is maybe a better more recent documentation since I was planning to use IAM Identity Center, but there you can only configure 1 Identity Source as of now and I don't know if it will be possible in the future to have more then one Identity Source?

Topics
Security, Identity, & ComplianceAWS Well-Architected FrameworkManagement & Governance
Tags
Security, Identity, & ComplianceAWS Identity and Access ManagementAWS IAM Identity CenterSecurityAWS Account Management
Language
English
Andre Pereira
asked 5 months ago277 views
2 Answers
0

It is not currently possible to do this in one AWS Organization. Each AWS Organization can have one and only one AWS IAM Identity Center, and IAM Identity Center only supports one Identity Provider at a time.

What you could try is to add azure ad 2 users into azure as 1 directory as guests and then configure identity centre to use azure ad 1.

profile picture
EXPERT
Gary Mclean
answered 5 months ago
  • Andre Pereira
    5 months ago

    Yes i understand that but for this use case we would like to have 2 seperate Azure ADs because it's two different Companies that should have access to this one account, each company has already their Users in their AD we cannot see their Organizational Structure they should Manage the Application Access on their own, if that makes sense.

  • Andre Pereira
    5 months ago

    Yes i understand that but for this use case we would like to have 2 seperate Azure ADs because it's two different Companies that should have access to this one account, each company has already their Users in their AD we cannot see their Organizational Structure they should Manage the Application Access on their own, if that makes sense.

  • Gary Mclean EXPERT
    5 months ago

    Hey Andre, yeah that makes sense.. I dont believe its possible at this time. You may be able to create a hosted Active Directory service in AWS, trust both Azure Domains and use this as the identity provider. Ive never tried it but it may work

  • Andre Pereira
    5 months ago

    Hey Gary, that would create a new expense since I would need to host that service right?

    How I did it right now was that I have the 2 ADs created on IAM Identity Providers and then just allowed those identity providers to be inside the trust relationships for the needed rows. On the Azure part I have each enterprise application with their own metadata file configured and applied then a new group to match 1 role on AWS... I don't know if I explained it well enough right now, I can go into more detail if you want

0

Currently it's only possible to integrate a single identity provider with AWS IAM Identity Center. You could however create a shared Entra ID tenant and connect that to AWS, as described here: https://aws.amazon.com/blogs/modernizing-with-aws/integrate-multiple-microsoft-entra-id-tenants-with-aws-iam-identity-center/

If you have multiple accounts in an AWS Organization this would provide a more simple identity provider integration across all of your accounts.

For a single account, there's no issue or concern with the approach you linked that uses IAM.

AWS
Trevor Schiavone
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content