Friday, October 10, 2025

AWS IAM Identity Center Login Flow | Overview.

AWS IAM Identity Center Login Flow - Overview.

 Scope:

  • Intro,
  • Key Components,
  • An End-to-End login Flow (Federated Login with External IdP),
  • User Initiates Login,
  • IdP Authentication,
  • Federation Response to IAM Identity Center,
  • Mapping to IAM Identity Center Identity Store,
  • IAM Role Creation (via Permission Set),
  • User Choice for an Account & Role,
  • IAM Identity Center (IC) Issues STS Credentials,
  • AWS Console or CLI Access,
  • Authorization Evaluation,
  • Session Expiration & Renewal,
  • Summary of Login Flow,
  • Architecture,
  • Final Tips.

Intro:

    •  AWS IAM Identity Center (IAM IC) provides centralized access (login) management across AWS accounts and applications.
    •  AWS IAM Identity Center (IAM IC) integrates with external identity providers (IdPs) like Azure AD, Okta, Ping, etc., to enable federated login using SAML 2.0 (Security Assertion Markup Language Version 2.0) or OIDC (OpenID Connect).

 Key Components

Component

Description

Identity Source

Source of truth for users — either internal (IAM IC directory) or external (e.g., Azure AD, Okta).

IAM Identity Center Portal

User login entry point (e.g., https://d-xxxxxxxx.awsapps.com/start).

Permission Sets

Define permissions (AWS-managed or custom policies).

IAM Roles

Created in target AWS accounts based on permission sets.

SCIM (Optional)

Syncs users and groups automatically from IdP to IAM IC.

AWS STS (Security Token Service)

Issues temporary credentials when users assume IAM roles.

 An End-to-End login Flow (Federated Login with External IdP)

The sequence of steps from loginaccount access credential issuance.

1, User Initiates Login

    • The user navigates to the AWS IAM Identity Center user portal:
      https://d-xxxxxxxx.awsapps.com/start
    • https://d-xxxxxxxx.awsapps.com/start
    • The portal redirects the user to the configured IdP login page (e.g., Okta, Azure AD).

2, IdP Authentication

    • The user enters credentials at the external IdP.
    • The IdP (identityProvider) performs authentication (password, MFA, conditional access, etc.).
    • Upon success, the IdP issues a SAML assertion (or OIDC token) back to IAM Identity Center.

3, Federation Response to IAM Identity Center

    • IAM Identity Center receives the SAML response from the IdP.
    • The assertion includes:
      • User identity (NameID, email, etc.)
      • Group memberships
      • Session attributes
    • IAM Identity Center validates the assertion using the IdP’s metadata and certificate.
    • IAM Identity Center validates the assertion using the IdP’s metadata and certificate.

4, Mapping to IAM Identity Center Identity Store

    • IAM Identity Center (IC) matches the user to a federated identity in its internal store (via SCIM sync or just-in-time mapping).
    • Groups are used to determine which permission sets and accounts the user can access.

5, IAM Role Creation (via Permission Set)

    • Each permission set maps to an IAM role in each target AWS account.
    • The role’s trust policy trusts the IAM Identity Center instance in the master (or delegated admin) account.
    • Example trust policy fragment:

# json


{

  "Effect": "Allow",

  "Principal": {

    "Federated": "arn:aws:iam::twtechOrg-Management-AccountID:saml-provider/AWSIdentityCenter"

  },

  "Action": "sts:AssumeRoleWithSAML"

}

6, User Choice for an Account & Role

  • After login, the user lands on the AWS access portal: https://d-xxxxxxxx.awsapps.com/start#/
  • The user sees a list of:
    • AWS Accounts
    • Assigned Permission Sets (as Role options)
  • The user selects a role to assume in a specific AWS account.

7, IAM IC Issues STS Credentials

    • IAM IC calls AWS STS (AWS AWS Security Token Service)  to assume the target role using the internal trust between IAM IC and the AWS account.
    • STS issues temporary credentials (Access Key ID, Secret Access Key, Session Token).

8, AWS Console or CLI Access

    • For Console access, IAM IC seamlessly redirects to the AWS Console in the target account with the assumed role session.
    • For CLI/API access, the AWS CLI v2 can perform a device authorization flow:

aws sso login --profile twtech-single-sign-on-profile

    • CLI opens the browser, authenticates the user via IAM IC.
    • CLI retrieves STS credentials via IAM IC.
    • Credentials are stored locally under ~/.aws/sso/cache/.

9, Authorization Evaluation

Once inside the AWS account:

    • AWS evaluates IAM policies attached to the assumed IAM role (via the permission set).
    • Access decisions (allow/deny) are enforced normally by IAM.

 NB: 

Session Expiration & Renewal:

    • Session duration is defined by the permission set (up to 12 hours for console sessions, or 1 hour for CLI unless extended).
    • When credentials expire, users must re-authenticate.

 Summary of Login Flow

User IAM IC Portal External IdP IAM IC IAM Role AWS STS AWS Account

1. User opens IAM IC (Identity Center) portal,

2. Redirect to IdP (SAML),

3. IdP authenticates user,

4. IdP sends SAML assertion to IAM IC,

5. IAM IC validates & maps user,

6. User selects account & permission set,

7. IAM IC assumes IAM role via STS,

8. User gains AWS console/CLI access.

Architecture 


Final Tips

    • SCIM (System for Cross-domain Identity Management) Provisioning keeps user/group mappings in sync automatically.
    • Attribute-based access control (ABAC) can be combined with SSO by embedding attributes in SAML assertions.
    • Delegated admin accounts can manage IAM IC without using the management account.
    • Use AWS CloudTrail event source: sso.amazonaws.com to monitor logins and access grants.



at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, What EventBridge  Really  Is (Deep...