- Newest
- Most votes
- Most comments
Hi there.
The document you shared actually indicates how it should be done when involving an external idP.
If you’re using an external IdP, you will not see the Multi-factor authentication section. The external IdP manages MFA settings rather than IAM Identity Center managing them.
I hope this helps.
As stated in AWS Documentation[1] above you need to configure IDP[2] for MFA, rather than using AWS Console. I suggest you follow official doc from IDP provider
Here is outline for setting up AWS MFA with an external identity provider (IdP):
- In AWS IAM, create an IAM role that will be used to give access to your AWS resources. Grant this role the permissions it needs.
- In your external IdP (e.g. Okta, Azure AD), configure AWS as a service provider application.
- When adding the app, you will need to provide the AWS IAM role ARN that you created. This links the IdP to that IAM role.
- Configure your IdP to use MFA for users. This could be Okta Verify, Google Authenticator, etc based on your IdP.
- Assign users to the AWS app in the IdP. When they sign in with MFA and are authenticated, they will assume the IAM role in AWS and gain access.
- The AWS IAM role trusts the external IdP to authenticate users. The role does not have direct password access itself.
- Make sure to restrict access to the AWS Management Console in IAM if you only want to allow programmatic access via the role.
So in summary, the external IdP handles authentication and MFA, and the AWS role handles authorization based on permissions granted. The two are linked via the external ID provided when creating the IAM role.
Reference: [1] - https://docs.aws.amazon.com/singlesignon/latest/userguide/mfa-enable-how-to.html [2]- Okta example https://help.okta.com/en-us/content/topics/security/mfa/mfa-factors.htm
Unfortunately, no. The document you link to says right at the top that the MFA section will be missing if you use an external IdP.
This AWS document expands on the limitation:
You can use IAM Identity Center’s multi-factor authentication capabilities when your identity source is configured with IAM Identity Center’s identity store, AWS Managed Microsoft AD, or AD Connector. MFA in IAM Identity Center is currently not supported for use by external identity providers.
I am asking the saml2 admins if they can make it request MFA on their end, but my understanding is that the SAML request coming from AWS is what normally would do that. I found a piece of documentation from Atlassian that might help:
When I use shibboleth from apache, that's what I do. This is how I have an Apache with some areas that require MFA and others that don't. In Apache you configure this as:
<RequireAll>
Require authnContextClassRef "https://refeds.org/profile/mfa"
Require shib-session
</RequireAll>
so I think what really need to happen here is that cognito either on its own, because of the idp configuration on the amazon side, or beacuse identity told it, it needs to make the SAML request with the context class set to https://refeds.org/profile/mfa
-- does that make sense?
--C
UPDATE: I talked to our Shibboleth administrator to make sure I got the ideas here right, and I'm convinced I do. Yes, we CAN force MFA on the identity provider side but that's not the right way to do this. The correct way is that the SP (Cognito) has a way to signal that you want MFA on the idP side, then when the SP (cognito) makes the request it specifies an AuthnContext of http://rit.edu/ac/classes/mfa .
I would like to escalate this as a pretty important feature request into Cognito. Is there something I can do here to facilitate that?
Hi there.
Actually, my answer was about the MFA configuration being handled by the idP and not Identity Center. I don't think what you suggest will work because as mentioned previously, being a third party idP, it is out of the control of Identity Center (or Cognito). You must configure the account for MFA at the source (idP).
I hope this helps.
Jose, I'm pretty sure it is ... AuthnContext is sent at the start of every SP (cognito) request to the idP.
Relevant content
- asked a year ago
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 years ago
Hi, thank you for this explanation it was very good. The part I'm not sure about is step 4 - the way i'm used to this, the Service Provider makes a request to the idp (in my case shibboleth) but I think that the request, in step 2 here - which is AWS - needs to say "Log somebody in, and require MFA" ... and that the MFA requirement really gets pushed by AWS. Does that seem correct to you?
I misunderstood the question. My answer was generic not specific to your use case. My apology. I will have to research further