Using IAM access centre and federation in one account

0

I'm currently using Okta with IAM federation to manage the workforce users. I would like to try IAM Identity center option. Is it possible to configure IAM identity center and IAM federation in the same AWS account? Thanks in advance,

asked 4 months ago481 views
3 Answers
2
Accepted Answer

Yes, it is possible to configure both IAM identity center and IAM federation in the same account. IAM federation is using the IAM identity provider feature of AWS IAM whereas IAM Identity center is a separate AWS service. If you manage multiple accounts, it is recommended to use IAM Identity center for integrating with Okta or any external identity providers.

You can refer the following documentations for the configuration.
https://help.okta.com/en-us/content/topics/deploymentguides/aws/aws-configure-identity-provider.htm https://docs.aws.amazon.com/singlesignon/latest/userguide/gs-okta.html

AWS
answered 4 months ago
profile picture
EXPERT
reviewed 4 months ago
2

Yes, it is possible to configure both AWS IAM Identity Center (formerly AWS Single Sign-On) and IAM federation in the same AWS account. These services can coexist and serve different purposes, allowing you to manage access for different types of users or scenarios. Here's a detailed explanation of how you can set this up:

Understanding the Services

IAM Identity Center:

AWS IAM Identity Center simplifies access management by providing single sign-on (SSO) to AWS accounts and applications. It integrates with your existing identity provider (IdP) like Okta, enabling your workforce users to access AWS resources using their corporate credentials.

IAM Federation:

IAM Federation allows users to access AWS resources using identities managed outside of AWS, such as in your corporate directory.

This is typically done using SAML 2.0-based federation, where users authenticate through an IdP like Okta, and temporary AWS credentials are issued via the Security Token Service (STS).

Configuring Both Services

**Here are the steps to configure IAM Identity Center alongside IAM Federation in your AWS account: **

  1. Setting Up IAM Identity Center

Enable IAM Identity Center:

Go to the AWS Management Console.

Navigate to IAM Identity Center and enable it.

Integrate with Okta:

In IAM Identity Center, set up Okta as your external identity provider.

Follow the steps to connect IAM Identity Center to Okta, including configuring SAML 2.0 settings.

Assign Access:

Create user groups and assign access to AWS accounts and applications through IAM Identity Center.

Use the IAM Identity Center console to assign permissions and roles to users or groups from Okta.

2. Setting Up IAM Federation

Configure SAML-Based Federation:

In the IAM console, create a SAML provider for Okta.

Upload the Okta SAML metadata file to IAM.

Create IAM Roles for Federated Access:

Create IAM roles that specify the permissions for your federated users.

Set up trust relationships in the roles to allow your Okta SAML provider to assume the roles.

Configure Okta:

In Okta, configure applications for AWS access, mapping Okta users to the appropriate AWS roles.

Ensure the SAML assertion from Okta includes the necessary information for AWS STS to assume the correct roles.

Using Both Services

IAM Identity Center: This is ideal for managing workforce users who need consistent and broad access across multiple AWS accounts and services. It provides a centralized access management and SSO experience.

IAM Federation: This is useful for specific use cases where users need temporary, scoped access to AWS resources. It can be used alongside IAM Identity Center for scenarios where direct federation via SAML is required, such as legacy applications or specific security requirements.

EXPERT
answered 4 months ago
2

Hello,

check this steps may help you

IAM Identity Center:

Enable IAM Identity Center: Go to AWS Management Console > IAM Identity Center and enable it.

Integrate with Okta: Set up Okta as your external identity provider in IAM Identity Center.

Assign Access: Create user groups, assign permissions, and roles to users or groups from Okta.

IAM Federation:

Configure SAML Provider: In IAM console, create a SAML provider for Okta and upload the Okta SAML metadata file.

Create IAM Roles: Define roles with permissions and trust relationships to allow Okta SAML provider to assume roles.

Configure Okta: Set up Okta to map users to the appropriate AWS roles for federated access.

IAM Identity Center: Best for managing workforce users needing broad, consistent access across AWS accounts.

IAM Federation: Ideal for temporary, scoped access, legacy applications, or specific security requirements. i hope this will be helpful,

profile picture
EXPERT
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions