How to connect AWS to an external identity provider

Topic: Accounts access

Connect AWS IAM Identity Center to an external identity provider (IdP) such as Active Directory, Okta, or Azure AD: configure SAML 2.0 or OIDC, set attribute mapping for user and group, and set Identity Center as the identity source. Use this so users sign in with corporate credentials and access AWS via SSO.

Intent: How-to

Quick answer

  • In IAM Identity Center, change the identity source to External identity provider; download the Identity Center SAML metadata (or provide OIDC details) and configure your IdP with the correct ACS URL and entity ID.
  • In the IdP, create an application for AWS and map attributes (e.g. user name, group membership) to SAML attributes or OIDC claims that Identity Center expects; upload the IdP metadata to Identity Center.
  • In Identity Center, create users/groups by syncing from the IdP or map IdP groups to Identity Center groups; assign those groups to AWS accounts with permission sets so federated users get the right access.

Prerequisites

Steps

  1. Set Identity Center identity source to external IdP

    In IAM Identity Center (management account), Settings → Identity source → Change; select External identity provider; download the Identity Center SAML metadata file or note the OIDC endpoints.

  2. Configure the IdP application for AWS

    In your IdP (Okta, Azure AD, AD FS, etc.), create an application for AWS IAM Identity Center; set the ACS URL and entity ID (or OIDC redirect URI) from Identity Center; upload or paste the IdP metadata into Identity Center.

  3. Map attributes for user and group

    In the IdP, map user identifier and group membership to SAML attributes (e.g. https://aws.amazon.com/SAML/Attributes/RoleSessionName, Role, or group membership); in Identity Center, ensure attribute mapping matches so users and groups are recognized for assignment.

  4. Sync or map groups and assign to accounts

    If using SCIM or group sync, configure provisioning so Identity Center has users and groups; otherwise map IdP groups to Identity Center assignments. Assign IdP groups to AWS accounts with permission sets and verify federated sign-in.

Summary

You will connect AWS IAM Identity Center to an external identity provider so users sign in with corporate credentials and access AWS through SSO. You set the identity source to external IdP, configure the IdP application and attribute mapping, and assign federated users or groups to accounts with permission sets. Use this when you already have an IdP (e.g. Okta, Azure AD) and want a single sign-on experience for AWS.

Prerequisites

  • IAM Identity Center enabled in the AWS Organizations management account (see How to enable AWS IAM Identity Center (SSO)).
  • Access to your external IdP (Okta, Azure AD, Active Directory with AD FS, or another SAML 2.0 or OIDC IdP) to create an application and configure attributes.

Steps

Step 1: Set Identity Center identity source to external IdP

  1. In the management account, open IAM Identity CenterSettings.
  2. Under Identity source, click Change. Select External identity provider.
  3. You will need to provide the IdP metadata. Identity Center gives you a Metadata file (SAML) or Metadata URL to download; alternatively for OIDC you will provide issuer and authorize URL. Download or note the Identity Center SAML metadata so you can configure your IdP with the correct ACS URL (Assertion Consumer Service) and Entity ID (audience). Keep the Identity Center console open to paste the IdP metadata in the next step.

Step 2: Configure the IdP application for AWS

  1. In your IdP admin console, create a new SAML 2.0 (or OIDC) application for AWS or AWS IAM Identity Center. Use the Identity Center metadata (or documentation) to set:
    • ACS URL (e.g. https://signin.aws.amazon.com/saml)
    • Entity ID / Audience (e.g. urn:amazon:webservices)
    • Name ID / Subject (e.g. email or username)
  2. Download or copy the IdP’s metadata XML (or SAML metadata URL). In Identity Center, when prompted, Upload the IdP metadata file (or paste the URL). Save. Identity Center will now trust the IdP for sign-in.

Step 3: Map attributes for user and group

  • User identity: The IdP must send a unique identifier (e.g. email or username) in the SAML assertion. Map this to the attribute Identity Center expects (often RoleSessionName or the default name ID).
  • Groups (for assignment): To assign by group, the IdP must send group membership in the assertion. Common approaches:
    • SAML: Use attribute https://aws.amazon.com/SAML/Attributes/Role with value like arn:aws:iam::ACCOUNT:role/PERMISSION_SET_NAME,arn:aws:iam::ACCOUNT:saml-provider/IDENTITY_CENTER. Or send a groups attribute and in Identity Center map IdP groups to permission set assignments.
    • OIDC / SCIM: If your IdP supports SCIM provisioning to Identity Center, users and groups can be provisioned automatically; then use Identity Center Groups for assignment. Otherwise map IdP groups to Identity Center groups or use attribute-based assignment where supported.

Refer to AWS documentation for your IdP (e.g. “Okta AWS SSO”, “Azure AD AWS”) for the exact attribute names and values.

Step 4: Sync or map groups and assign to accounts

  • If you use SCIM with Identity Center, configure the IdP to provision users and groups to Identity Center; then in Identity Center → AWS accountsAssign users or groups, select the synced groups and assign them to accounts with permission sets.
  • If you use SAML attribute for role assumption, the Role attribute in the assertion directly specifies which account and permission set the user gets; ensure the IdP sends the correct Role value per user or group.
  • Test: Sign in to the Identity Center portal using the IdP (e.g. redirect to Okta or Azure AD). After sign-in, you should see the assigned accounts and roles; select one and confirm you reach the AWS console. Run aws configure sso and sign in again to verify CLI access.

Verification

  • Identity Center identity source is External identity provider and the IdP metadata is saved.
  • A test user can sign in to the Identity Center portal via the IdP and see assigned accounts/roles; selecting an account opens the AWS console with the correct permission set.
  • CLI with aws configure sso works for the same user; get-caller-identity shows the expected role.

Troubleshooting

Sign-in redirects but then fails — Check the IdP’s ACS URL and entity ID match Identity Center exactly. Ensure the SAML response is signed and the certificate is valid; check Identity Center and IdP logs for the error reason.

User has no accounts — The IdP must send the correct group or Role attribute so Identity Center can map the user to an assignment. Verify attribute mapping in the IdP and that the user is in a group that is assigned in Identity Center (or that the Role attribute is correct).

Group sync not working — If using SCIM, ensure the Identity Center SCIM endpoint and token are correct in the IdP; check that the IdP is sending user and group updates. For SAML-only, groups must be in the assertion; some IdPs require an app-specific group attribute.

Next steps

Continue to