AWS User Provisioning

Showing results for 
Search instead for 
Do you mean 
Participant I
Posts: 1
Registered: ‎02-07-2019
#1 of 2 293
Accepted Solution

AWS User Provisioning



If SAML + User Provisioning is enabled with an AWS Account, is it possible for users to login via the Centrify SSO page as the user that was provisioned? It seems the only option is for users to login as an AWS role. Is it possible for Centrify to facilitate a login to the AWS account as the user it provisions?

Centrify Guru I
Posts: 2,449
Registered: ‎07-26-2012
#2 of 2 289

Re: AWS User Provisioning

[ Edited ]



Welcome to the Centrify forums.


The answer to your question  depends on what you want to accomplish and what's your identity source of record.

Although it's true that the SAML+Provisioning and AWS Native + Provisioning both can "provision" an IAM user, this may not be desirable becasue you'll be duplicating identities.


E.g.  Let's say your identity source of record is Active Directory (in a typical B2E scenario).  Ideally you DON'T provision the user as IAM, and allow them to use AWS Console (or CLI PowerShell/Python) by leveraging their federated identity (and role mapping).  The benefit here is that should the user leave the company by disabling the AD account you're done.


However, if you choose to provision, then you have a secondary identity in AWS which would have to be deprovisioned and you'd probably have to take care of things like keys, etc.


As far how they access.  You are using an IDP-initiated login. You need to make sure that AWS console supports SP-initiated login.


If you clarify what you'd like to accomplish from a business process perspective, perhaps we can suggest an alternative approach.


Finally, a moderation topic.   This is an Idaptive question.  Note that Centrify spun-out the SSO Business starting in January.



Want to learn more about practical Centrify examples? Check out my blog at
Follow Centrify: