or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

docs

access-keys-credentials.mdaccount-management.mdclient-config.mdgroups-roles.mdidentity-providers.mdindex.mdinstance-profiles.mdmfa-devices.mdpolicy-management.mduser-management.md
tile.json

identity-providers.mddocs/

Identity Providers

Identity provider management for federated authentication using SAML 2.0 and OpenID Connect (OIDC) protocols, enabling single sign-on (SSO) integration with external identity systems.

Capabilities

SAML Identity Providers

SAML 2.0-based federation allows users to sign in to AWS using their corporate credentials without creating separate IAM users.

Create SAML Provider

Creates a SAML identity provider resource for federated authentication.

/**
 * Creates a SAML identity provider resource
 * @param Name - The name of the provider to create
 * @param SAMLMetadataDocument - XML document generated by the identity provider
 * @param Tags - List of tags to attach to the provider
 */
interface CreateSAMLProviderCommandInput {
  Name: string;
  SAMLMetadataDocument: string;
  Tags?: Tag[];
}

interface CreateSAMLProviderCommandOutput {
  SAMLProviderArn?: string;
  Tags?: Tag[];
}

Usage Example:

import { IAMClient, CreateSAMLProviderCommand } from "@aws-sdk/client-iam";

const client = new IAMClient({ region: "us-east-1" });

const metadataXml = `<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                     entityID="https://example.com">
  <!-- SAML metadata content -->
</md:EntityDescriptor>`;

const command = new CreateSAMLProviderCommand({
  Name: "ExampleSAMLProvider",
  SAMLMetadataDocument: metadataXml,
  Tags: [{ Key: "Environment", Value: "Production" }]
});

const result = await client.send(command);
console.log("SAML Provider ARN:", result.SAMLProviderArn);

Update SAML Provider

Updates the metadata document for an existing SAML identity provider resource.

/**
 * Updates the metadata document for an existing SAML identity provider
 * @param SAMLMetadataDocument - New XML metadata document
 * @param SAMLProviderArn - ARN of the SAML provider to update
 */
interface UpdateSAMLProviderCommandInput {
  SAMLMetadataDocument: string;
  SAMLProviderArn: string;
}

interface UpdateSAMLProviderCommandOutput {
  SAMLProviderArn?: string;
}

Get SAML Provider

Retrieves information about the specified SAML provider resource.

/**
 * Returns information about the specified SAML provider resource
 * @param SAMLProviderArn - ARN of the SAML provider resource
 */
interface GetSAMLProviderCommandInput {
  SAMLProviderArn: string;
}

interface GetSAMLProviderCommandOutput {
  SAMLMetadataDocument?: string;
  CreateDate?: Date;
  ValidUntil?: Date;
  Tags?: Tag[];
}

List SAML Providers

Lists the SAML identity providers defined in the AWS account.

/**
 * Lists the SAML identity providers defined in the AWS account
 */
interface ListSAMLProvidersCommandInput {}

interface ListSAMLProvidersCommandOutput {
  SAMLProviderList?: SAMLProviderListEntry[];
}

Delete SAML Provider

Deletes a SAML identity provider resource.

/**
 * Deletes a SAML identity provider resource
 * @param SAMLProviderArn - ARN of the SAML provider to delete
 */
interface DeleteSAMLProviderCommandInput {
  SAMLProviderArn: string;
}

SAML Provider Tagging

/**
 * Adds one or more tags to a SAML identity provider
 * @param SAMLProviderArn - ARN of the SAML provider
 * @param Tags - List of tags to attach
 */
interface TagSAMLProviderCommandInput {
  SAMLProviderArn: string;
  Tags: Tag[];
}

/**
 * Removes the specified tags from the SAML identity provider
 * @param SAMLProviderArn - ARN of the SAML provider
 * @param TagKeys - List of tag keys to remove
 */
interface UntagSAMLProviderCommandInput {
  SAMLProviderArn: string;
  TagKeys: string[];
}

/**
 * Lists the tags attached to the specified SAML identity provider
 * @param SAMLProviderArn - ARN of the SAML provider
 * @param Marker - Use this parameter only when paginating results
 * @param MaxItems - Maximum number of items to return
 */
interface ListSAMLProviderTagsCommandInput {
  SAMLProviderArn: string;
  Marker?: string;
  MaxItems?: number;
}

OpenID Connect Identity Providers

OpenID Connect (OIDC) providers enable federated authentication using web identity federation for applications running outside of AWS.

Create OpenID Connect Provider

Creates an OpenID Connect identity provider resource.

/**
 * Creates an OpenID Connect identity provider resource
 * @param Url - URL of the identity provider (must begin with https://)
 * @param ClientIDList - List of client IDs (audiences) for which the provider is valid
 * @param ThumbprintList - List of server certificate thumbprints
 * @param Tags - List of tags to attach to the provider
 */
interface CreateOpenIDConnectProviderCommandInput {
  Url: string;
  ClientIDList?: string[];
  ThumbprintList?: string[];
  Tags?: Tag[];
}

interface CreateOpenIDConnectProviderCommandOutput {
  OpenIDConnectProviderArn?: string;
  Tags?: Tag[];
}

Usage Example:

import { IAMClient, CreateOpenIDConnectProviderCommand } from "@aws-sdk/client-iam";

const command = new CreateOpenIDConnectProviderCommand({
  Url: "https://oidc.example.com",
  ClientIDList: ["my-app-client-id", "another-client-id"],
  ThumbprintList: ["1234567890abcdef1234567890abcdef12345678"],
  Tags: [{ Key: "Application", Value: "WebApp" }]
});

const result = await client.send(command);
console.log("OIDC Provider ARN:", result.OpenIDConnectProviderArn);

Get OpenID Connect Provider

Retrieves information about the specified OpenID Connect provider.

/**
 * Returns information about the specified OpenID Connect provider
 * @param OpenIDConnectProviderArn - ARN of the OpenID Connect provider
 */
interface GetOpenIDConnectProviderCommandInput {
  OpenIDConnectProviderArn: string;
}

interface GetOpenIDConnectProviderCommandOutput {
  Url?: string;
  ClientIDList?: string[];
  ThumbprintList?: string[];
  CreateDate?: Date;
  Tags?: Tag[];
}

List OpenID Connect Providers

Lists information about the OpenID Connect providers defined in the AWS account.

/**
 * Lists information about the OpenID Connect providers defined in the AWS account
 */
interface ListOpenIDConnectProvidersCommandInput {}

interface ListOpenIDConnectProvidersCommandOutput {
  OpenIDConnectProviderList?: OpenIDConnectProviderListEntry[];
}

Update OpenID Connect Provider Thumbprint

Replaces the existing list of server certificate thumbprints for an OpenID Connect provider.

/**
 * Replaces the existing list of server certificate thumbprints for an OpenID Connect provider
 * @param OpenIDConnectProviderArn - ARN of the OpenID Connect provider
 * @param ThumbprintList - List of certificate thumbprints for the provider's server certificates
 */
interface UpdateOpenIDConnectProviderThumbprintCommandInput {
  OpenIDConnectProviderArn: string;
  ThumbprintList: string[];
}

Add/Remove Client ID

Manage client IDs (audiences) for OpenID Connect providers.

/**
 * Adds a new client ID to the list of client IDs associated with the OpenID Connect provider
 * @param OpenIDConnectProviderArn - ARN of the OpenID Connect provider
 * @param ClientID - The client ID (audience) to add
 */
interface AddClientIDToOpenIDConnectProviderCommandInput {
  OpenIDConnectProviderArn: string;
  ClientID: string;
}

/**
 * Removes the specified client ID from the list of client IDs associated with the OpenID Connect provider
 * @param OpenIDConnectProviderArn - ARN of the OpenID Connect provider
 * @param ClientID - The client ID (audience) to remove
 */
interface RemoveClientIDFromOpenIDConnectProviderCommandInput {
  OpenIDConnectProviderArn: string;
  ClientID: string;
}

Delete OpenID Connect Provider

Deletes an OpenID Connect identity provider resource.

/**
 * Deletes an OpenID Connect identity provider resource
 * @param OpenIDConnectProviderArn - ARN of the OpenID Connect provider to delete
 */
interface DeleteOpenIDConnectProviderCommandInput {
  OpenIDConnectProviderArn: string;
}

OpenID Connect Provider Tagging

/**
 * Adds one or more tags to an OpenID Connect identity provider
 * @param OpenIDConnectProviderArn - ARN of the OpenID Connect provider
 * @param Tags - List of tags to attach
 */
interface TagOpenIDConnectProviderCommandInput {
  OpenIDConnectProviderArn: string;
  Tags: Tag[];
}

/**
 * Removes the specified tags from the OpenID Connect identity provider
 * @param OpenIDConnectProviderArn - ARN of the OpenID Connect provider
 * @param TagKeys - List of tag keys to remove
 */
interface UntagOpenIDConnectProviderCommandInput {
  OpenIDConnectProviderArn: string;
  TagKeys: string[];
}

/**
 * Lists the tags attached to the specified OpenID Connect identity provider
 * @param OpenIDConnectProviderArn - ARN of the OpenID Connect provider
 * @param Marker - Use this parameter only when paginating results
 * @param MaxItems - Maximum number of items to return
 */
interface ListOpenIDConnectProviderTagsCommandInput {
  OpenIDConnectProviderArn: string;
  Marker?: string;
  MaxItems?: number;
}

Types

interface SAMLProviderListEntry {
  Arn?: string;
  ValidUntil?: Date;
  CreateDate?: Date;
}

interface OpenIDConnectProviderListEntry {
  Arn?: string;
}

Federation Use Cases

SAML 2.0 Federation

Corporate SSO Integration:

  • Integrate with Active Directory Federation Services (ADFS)
  • Enable employees to access AWS Console with corporate credentials
  • Set up role-based access through SAML assertions

Identity Provider Setup:

  1. Configure SAML IdP with AWS as service provider
  2. Generate and download SAML metadata XML
  3. Create SAML provider in AWS IAM
  4. Create IAM roles with trust policies for SAML federation
  5. Configure attribute mapping between IdP and AWS roles

OpenID Connect Federation

Web Identity Federation:

  • Enable mobile/web applications to access AWS resources
  • Support authentication through social identity providers (Google, Facebook, etc.)
  • Implement temporary credential vending for client applications

Application Integration:

  1. Register application with OIDC provider
  2. Create OIDC provider in AWS IAM
  3. Create IAM roles with trust policies for web identity
  4. Configure application to assume roles using OIDC tokens

Security Best Practices

  • Certificate Management: Regularly update SAML metadata and OIDC thumbprints
  • Client ID Restriction: Limit OIDC client IDs to only necessary applications
  • Role Trust Policies: Use specific conditions in role trust policies
  • Attribute Mapping: Validate SAML attributes and OIDC claims before role assumption
  • Monitoring: Track identity provider usage through CloudTrail logs