By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IDP authentication and map users in IAM Management account .

0

We have recently migrated to IAM identity center in favour of user in a group in security account assuming roles of target accounts. The experience has been great so far. love the UI to instantly switch beetween the accounts etc. we are also using AzureAD integration for IDP . but with this we have to wait for sometime for the SCIM protocol to complete the groups to be mapped (or sent to) to AWS. this limits and slows the process provisioning.

we would like to see if its possible , just use the Authentication part of the IDP and then create the userclaim as a member of IAM groups in IAM identity center ( may be by using the email address).

This would solve most of the use case . and also speeds up provisioning and decouples creating groups in AzureAD for this purpose and hence the Application Group assignments as well and then SCIM.

Thanks.

Topics
Security, Identity, & ComplianceManagement & GovernanceAWS Well-Architected Framework
Tags
Security, Identity, & ComplianceAWS Identity and Access ManagementAWS Management ConsoleSecurityAWS Account Management
Language
English
arjunmld
asked 2 years ago468 views
1 Answer
0

Hello,

I hope you're doing well.

Thank you for reaching out to us with your concern.

From your query, it seems that you have recently migrated to IAM identity center and you have mentioned that the issue is you have to wait for sometime for the SCIM protocol to complete the groups to be mapped (or sent to) to AWS and you would like to see if its possible to just use the Authentication part of the IDP and then create the userclaim as a member of IAM groups in IAM identity center

I would suggest you to refer the following document Tutorial: Azure AD SSO integration with AWS Single-Account Access - https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/amazon-web-service-tutorial

As you mentioned that you would like to see if its possible to just use the Authentication part of the IDP and then create the userclaim as a member of IAM groups in IAM identity center.

I would like to inform you that the role mapping is pre-defined and the attribute which comes as part of SAML assertion defines what role is supposed to be assumed. Hence , the use-case you are trying to achieve seems to be not possible.

Moreover, as I have only limited information, I would need more data to understand your use case much better. To understand your use case further, I would request you raise a technical support case ticket, where we can go deep dive into the use case and suggest you actions based on your environment resources.

AWS
SUPPORT ENGINEER
rePost-User-0125464
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content