- 최신
- 최다 투표
- 가장 많은 댓글
AWS Single Sign-On (AWS SSO) does not currently support directly syncing or passing the ObjectSID attribute from on-premises AD to AppStream 2.0. However, there are a couple of potential workarounds:
Use a Custom SAML Identity Provider Instead of AWS SSO, you can configure a third-party SAML 2.0 compliant IdP like Okta, Ping Identity, etc. These IdPs often support passing custom attributes like ObjectSID in the SAML assertion to AppStream 2.0.
Use AWS Managed Microsoft AD Set up an AWS Managed Microsoft AD and join your on-premises AD to it. The AWS Managed Microsoft AD will sync user identities including the ObjectSID. Then configure your IdP (AWS SSO or third-party) to use the AWS Managed Microsoft AD as the source to pass the ObjectSID.
Both approaches require additional setup compared to using AWS SSO directly with on-premises AD for AppStream 2.0. You'll need to evaluate the complexity, cost, and your specific requirements.
Hello,
Thank you for querying in this forum.
From the descriptions, I understand that your use case is to send an AD Attribute ObjectSID in the SAML assertion but you are not able to see the option to sync the object SID from AD into Identity Center or pass the object SID as part of the assertion. You would like to know if this is actually being supported ot not.
Please confirm the below details and information regarding the IAM Identity Center setup in your environment so that we could better understand your setup and issue.
-
Can you clarify the IDP and SP that you have setup in your environment ?
-
If you are using SSO as an Idp, confirm the identity source that you are using in your IAM Identity Center setup. Kindly confirm if you are using External identity provider or an Active Directory or Identity Center directory in your IAM Identity Center setup.
The passing of the attribute detail in the SAML assertion depends upon the IdP that you are using. For a list of supported directory attributes or supported IAM Identity Center attributes and that can be mapped to user attributes, please go through the below documentation.
[+] https://docs.aws.amazon.com/singlesignon/latest/userguide/attributemappingsconcept.html
Thank you.