Identity Center - Sync AD Object SID to send with SAML Assertion

0

Hi,

I'm looking to use Identity Center as the SAML IdP to connect to AD-joined AppStream. The basics are working, but we're looking to implement Certificate-Based Authentication (CBA). This requires sending the AD Attribute ObjectSID along with the assertion to successfully perform CBA. I am not seeing the option to sync the object SID from AD into Identity Center, or pass the object SID as part of the assertion.

Is this supported? Or is there some kind of workaround anyone has found to send this attribute?

2개 답변
0

AWS Single Sign-On (AWS SSO) does not currently support directly syncing or passing the ObjectSID attribute from on-premises AD to AppStream 2.0. However, there are a couple of potential workarounds:

Use a Custom SAML Identity Provider Instead of AWS SSO, you can configure a third-party SAML 2.0 compliant IdP like Okta, Ping Identity, etc. These IdPs often support passing custom attributes like ObjectSID in the SAML assertion to AppStream 2.0.

Use AWS Managed Microsoft AD Set up an AWS Managed Microsoft AD and join your on-premises AD to it. The AWS Managed Microsoft AD will sync user identities including the ObjectSID. Then configure your IdP (AWS SSO or third-party) to use the AWS Managed Microsoft AD as the source to pass the ObjectSID.

Both approaches require additional setup compared to using AWS SSO directly with on-premises AD for AppStream 2.0. You'll need to evaluate the complexity, cost, and your specific requirements.

AWS
답변함 3달 전
0

Hello,

Thank you for querying in this forum.

From the descriptions, I understand that your use case is to send an AD Attribute ObjectSID in the SAML assertion but you are not able to see the option to sync the object SID from AD into Identity Center or pass the object SID as part of the assertion. You would like to know if this is actually being supported ot not.

Please confirm the below details and information regarding the IAM Identity Center setup in your environment so that we could better understand your setup and issue.

  • Can you clarify the IDP and SP that you have setup in your environment ?

  • If you are using SSO as an Idp, confirm the identity source that you are using in your IAM Identity Center setup. Kindly confirm if you are using External identity provider or an Active Directory or Identity Center directory in your IAM Identity Center setup.

The passing of the attribute detail in the SAML assertion depends upon the IdP that you are using. For a list of supported directory attributes or supported IAM Identity Center attributes and that can be mapped to user attributes, please go through the below documentation.

[+] https://docs.aws.amazon.com/singlesignon/latest/userguide/attributemappingsconcept.html

Thank you.

AWS
답변함 3달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠