AWS User Provisioning
02-13-2019 11:05 AM
If SAML + User Provisioning is enabled with an AWS Account, is it possible for users to login via the Centrify SSO page as the user that was provisioned? It seems the only option is for users to login as an AWS role. Is it possible for Centrify to facilitate a login to the AWS account as the user it provisions?
Solved! Go to Solution.
02-13-2019 12:16 PM
Welcome to the Centrify forums.
The answer to your question depends on what you want to accomplish and what's your identity source of record.
Although it's true that the SAML+Provisioning and AWS Native + Provisioning both can "provision" an IAM user, this may not be desirable becasue you'll be duplicating identities.
E.g. Let's say your identity source of record is Active Directory (in a typical B2E scenario). Ideally you DON'T provision the user as IAM, and allow them to use AWS Console (or CLI PowerShell/Python) by leveraging their federated identity (and role mapping). The benefit here is that should the user leave the company by disabling the AD account you're done.
However, if you choose to provision, then you have a secondary identity in AWS which would have to be deprovisioned and you'd probably have to take care of things like keys, etc.
As far how they access. You are using an IDP-initiated login. You need to make sure that AWS console supports SP-initiated login.
If you clarify what you'd like to accomplish from a business process perspective, perhaps we can suggest an alternative approach.
Finally, a moderation topic. This is an Idaptive question. Note that Centrify spun-out the SSO Business starting in January.