How to get information about the SAML certificate, which is located in the IAM Identity Center - Settings - SAML 2.0 Authentication, using the CLI or API


Good afternoon. I'm doing a workflow automation that involves tracking the validity of a certificate. Through the web console, I added a SAML certificate to IAM Identity Center - Settings - SAML 2.0 Authentication. How can I now get information about this certificate using the CLI or API? I searched aws-identitystore, aws-sso, aws-sso-admin , aws-sso-oidc but couldn't find the correct command. Perhaps there are other ways to keep track of the SAML certificate expiration date?

asked 10 months ago327 views
1 Answer
Accepted Answer

Sorry, I am not sure if I understand you correctly, you adding the IdP certificate to Identity Center (here the Service Provider). If is this what you are doing, this certificate has to be generated/maintained somewhere else, so you need to track the validity of the certificate on the CA where you generated it. For example, you can use a PrivateCA with AWS to upload the certificates and then using the API query the expiration date for example, but you cannot ask Identity Center for this, it's "problem" of the IdP not of Identity Center.


profile pictureAWS
answered 10 months ago
profile picture
reviewed 2 months ago
  • Thanks for the answer. Yes, the certificate is created in Active Directory Certificate Services and manually added in IAM Identity Center - Settings - SAML 2.0 Authentication. But I don't have access to ADCS. I would like to track the certificate on the AWS side through the CLI, or API. Do you suggest adding the new certificate to AWS ACM in addition to the IAM Identity Center and tracking it using the acm:ListCertificates command? This may be one of the options, but not the most convenient. I would like to get information about the certificate directly from where it is imported (IAM Identity Center - Settings - SAML 2.0 Authentication), without having to add it somewhere else. Is it somehow possible? If not, do you plan to add this functionality? I think it should be in the identitystore.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions