Top / Amazon Web Service / AWS IAM / SAML Provider

AWS IAM SAML Provider

This page shows how to write Terraform and CloudFormation for IAM SAML Provider and write them securely.

terraform-logo

Review your .tf file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

aws_iam_saml_provider (Terraform)

The SAML Provider in IAM can be configured in Terraform with the resource name aws_iam_saml_provider. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

main.tf#L5
resource "aws_iam_saml_provider" "idp_saml" {
  name                   = "idp_saml"
  saml_metadata_document = file("saml-metadata.xml")
}

resource "aws_iam_saml_provider" "second_idp_saml" {
main.tf#L5
resource "aws_iam_saml_provider" "idp_saml" {
  name                   = "idp_saml"
  saml_metadata_document = file("saml-metadata.xml")
}

resource "aws_iam_saml_provider" "second_idp_saml" {
main.tf#L5
resource "aws_iam_saml_provider" "idp_saml" {
  name                   = "idp_saml"
  saml_metadata_document = file("saml-metadata.xml")
}

resource "aws_iam_saml_provider" "second_idp_saml" {
main.tf#L5
resource "aws_iam_saml_provider" "idp_saml" {
  name                   = "idp_saml"
  saml_metadata_document = file("saml-metadata.xml")
}

resource "aws_iam_saml_provider" "second_idp_saml" {
main.tf#L5
resource "aws_iam_saml_provider" "idp_saml" {
  name                   = "idp_saml"
  saml_metadata_document = file("saml-metadata.xml")
}

resource "aws_iam_saml_provider" "second_idp_saml" {

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Provides an IAM SAML provider.

>> from Terraform Registry

Tips: Best Practices for The Other AWS IAM Resources

In addition to the aws_iam_account_password_policy, AWS IAM has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_iam_account_password_policy

Ensure AWS IAM account password policies requires long passwords

It's better to enforce the use of long and complex passwords to reduce the risk of bruteforce attacks.

Review your AWS IAM settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::IAM::SAMLProvider (CloudFormation)

The SAMLProvider in IAM can be configured in CloudFormation with the resource name AWS::IAM::SAMLProvider. The following sections describe 4 examples of how to use the resource and its parameters.

Example Usage from GitHub

jumpcloud-idp.yaml#L14
    Type: 'AWS::IAM::SAMLProvider'
    Properties:
      Name: !Ref SamlProviderName
      SamlMetadataDocument: !Ref MetadataDocument
  SamlProviderRole:
    Type: AWS::IAM::Role
AssumeRoleWithSaml.json#L54
      "type": "AWS::IAM::SAMLProvider"
    }
  ],
  "eventType": "AwsApiCall",
  "recipientAccountId": "123456789012"
template.json#L1895
    "AWS::IAM::SAMLProvider": {
      "Type": "AWS::IAM::SAMLProvider",
      "Properties": {}
    },
    "AWS::Inspector::ResourceGroup": {
      "Type": "AWS::Inspector::ResourceGroup",
324722364132_CloudTrail_us-east-1_20170329T0020Z_MoAJtMGsPx7jiNQS.json#L1

Parameters

>> from AWS CloudFormation Documentation

Explanation in CloudFormation Registry

Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.

The SAML provider resource that you create with this operation can be used as a principal in an IAM role's trust policy. Such a policy can enable federated users who sign in using the SAML IdP to assume the role. You can create an IAM role that supports Web-based single sign-on (SSO) to the AWS Management Console or one that supports API access to AWS.

When you create the SAML provider resource, you upload a SAML metadata document that you get from your IdP. That document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that the IdP sends. You must generate the metadata document using the identity management software that is used as your organization's IdP.

Note This operation requires Signature Version 4. For more information, see [Enabling SAML 2.

0 federated users to access the AWS Management Console ](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html) and [About SAML 2.

0-based federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) in the IAM User Guide.

>> from AWS CloudFormation Documentation

The Other Related AWS IAM Resources

Frequently asked questions

What is AWS IAM SAML Provider?

AWS IAM SAML Provider is a resource for IAM of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS IAM SAML Provider?

For Terraform, the anmoltoppo/Terraform, madhuawsdemo/modules and terraform-aws-modules/terraform-aws-iam source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the Sage-Bionetworks/aws-infra, vikyol/aws-tags and mhlabs/aws-icons-directory source code examples are useful. See the CloudFormation Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents