Identity Provider over Identity Center?

0

Hello, I am fairly new to AWS and have been given a small task of being able to have 2 Azure AD to be able to connect to one AWS Account, I have only found 1 way of doing it so far and that is using the Identity Provider in IAM and configuring 2 Identity Providers to access the same Account.

I have followed the following Topic: https://aws.amazon.com/blogs/apn/securing-aws-accounts-with-azure-active-directory-federation/, however there seems to be some Information missing/difficult to understand the purpose of some configuration done.

My question is if there is maybe a better more recent documentation since I was planning to use IAM Identity Center, but there you can only configure 1 Identity Source as of now and I don't know if it will be possible in the future to have more then one Identity Source?

3 Answers
1

It is not currently possible to do this in one AWS Organization. Each AWS Organization can have one and only one AWS IAM Identity Center, and IAM Identity Center only supports one Identity Provider at a time.

What you could try is to add azure ad 2 users into azure as 1 directory as guests and then configure identity centre to use azure ad 1.

profile picture
EXPERT
answered 10 months ago
  • Yes i understand that but for this use case we would like to have 2 seperate Azure ADs because it's two different Companies that should have access to this one account, each company has already their Users in their AD we cannot see their Organizational Structure they should Manage the Application Access on their own, if that makes sense.

  • Yes i understand that but for this use case we would like to have 2 seperate Azure ADs because it's two different Companies that should have access to this one account, each company has already their Users in their AD we cannot see their Organizational Structure they should Manage the Application Access on their own, if that makes sense.

  • Hey Andre, yeah that makes sense.. I dont believe its possible at this time. You may be able to create a hosted Active Directory service in AWS, trust both Azure Domains and use this as the identity provider. Ive never tried it but it may work

  • Hey Gary, that would create a new expense since I would need to host that service right?

    How I did it right now was that I have the 2 ADs created on IAM Identity Providers and then just allowed those identity providers to be inside the trust relationships for the needed rows. On the Azure part I have each enterprise application with their own metadata file configured and applied then a new group to match 1 role on AWS... I don't know if I explained it well enough right now, I can go into more detail if you want

1

Currently it's only possible to integrate a single identity provider with AWS IAM Identity Center. You could however create a shared Entra ID tenant and connect that to AWS, as described here: https://aws.amazon.com/blogs/modernizing-with-aws/integrate-multiple-microsoft-entra-id-tenants-with-aws-iam-identity-center/

If you have multiple accounts in an AWS Organization this would provide a more simple identity provider integration across all of your accounts.

For a single account, there's no issue or concern with the approach you linked that uses IAM.

AWS
answered 10 months ago
1

AWS IAM Identity Center can be integrated with only one external Idp at a time and only one "Organization instances of IAM Identity Center" can be deployed in an AWS Organization but multiple "Account instances of IAM Identity Center" can be deployed in member accounts of that same organization. Account instances support isolated deployments of applications in a single AWS member account. You need to evaluate if that servers your requirements: Organization instances of IAM Identity Center - https://docs.aws.amazon.com/singlesignon/latest/userguide/organization-instances-identity-center.html Account instances of IAM Identity Center - https://docs.aws.amazon.com/singlesignon/latest/userguide/account-instances-identity-center.html

AWS
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions