Skip to main content

IAM SAML Provider Exists in Account

Overview

This check verifies whether SAML (Security Assertion Markup Language) identity providers exist in your AWS account. SAML providers enable federated authentication, allowing users to sign in through your corporate identity provider (like Okta, Azure AD, or Google Workspace) and receive temporary AWS credentials instead of using long-lived IAM access keys.

Risk

Without SAML federation configured:

  • Reliance on long-lived credentials: Users must authenticate with static IAM access keys, which can be stolen or leaked
  • Limited access control: You lose the ability to enforce your organization's password policies, MFA requirements, and session limits
  • Difficult credential revocation: Compromised access keys require manual rotation and can enable persistent unauthorized access
  • Reduced accountability: Without centralized identity management, auditing who accessed what becomes more difficult
  • Compliance gaps: Many security frameworks require federated identity management for cloud resources

Remediation Steps

Prerequisites

  • Administrative access to your AWS account (or IAM permissions including iam:CreateSAMLProvider)
  • Access to your corporate identity provider (IdP) to download the SAML metadata XML file
  • The SAML metadata document from your IdP (usually downloadable from your IdP's admin console)
Getting your SAML metadata document

Your SAML metadata is an XML file that contains your identity provider's configuration. Here's how to get it from common providers:

Okta:

  1. Go to Applications > Your SAML App > Sign On tab
  2. Click Identity Provider metadata to download the XML file

Azure AD:

  1. Go to Azure Portal > Azure Active Directory > Enterprise Applications
  2. Select your app > Single sign-on > SAML Signing Certificate
  3. Download Federation Metadata XML

Google Workspace:

  1. Go to Admin Console > Apps > Web and mobile apps
  2. Select your SAML app > Download metadata

Save this file locally (e.g., saml-metadata.xml) for use in the following steps.

AWS Console Method

  1. Sign in to the AWS Management Console
  2. Navigate to IAM (Identity and Access Management)
  3. In the left navigation pane, click Identity providers
  4. Click Add provider
  5. For Provider type, select SAML
  6. For Provider name, enter a descriptive name (e.g., Okta-SSO or AzureAD)
  7. Under Metadata document, click Choose file and upload your SAML metadata XML file
  8. Click Add provider

After creating the SAML provider, you'll need to create IAM roles that trust this provider and define what permissions federated users receive.

Creating a role for SAML federation

After adding the SAML provider, create a role that federated users can assume:

  1. In IAM, go to Roles > Create role
  2. Select SAML 2.0 federation as the trusted entity type
  3. Select your SAML provider from the dropdown
  4. Choose the appropriate access type:
    • Allow programmatic access only - For CLI/API access
    • Allow programmatic and AWS Management Console access - For both console and API
  5. Click Next and attach permission policies (start with least privilege)
  6. Name your role (e.g., SAML-Developers-Role)
  7. Click Create role
AWS CLI (optional)

Create a SAML identity provider using the AWS CLI:

aws iam create-saml-provider \
    --saml-metadata-document file://saml-metadata.xml \
    --name MyCompany-SSO \
    --region us-east-1

The command returns the ARN of the new SAML provider:

{
    "SAMLProviderArn": "arn:aws:iam::123456789012:saml-provider/MyCompany-SSO"
}

Creating a role for SAML federation:

First, create a trust policy file (trust-policy.json):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::123456789012:saml-provider/MyCompany-SSO"
            },
            "Action": "sts:AssumeRoleWithSAML",
            "Condition": {
                "StringEquals": {
                    "SAML:aud": "https://signin.aws.amazon.com/saml"
                }
            }
        }
    ]
}

Then create the role:

aws iam create-role \
    --role-name SAML-Developers-Role \
    --assume-role-policy-document file://trust-policy.json \
    --region us-east-1

Attach a permissions policy to the role:

aws iam attach-role-policy \
    --role-name SAML-Developers-Role \
    --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess \
    --region us-east-1
CloudFormation (optional)

Deploy a SAML provider and associated role using CloudFormation:

AWSTemplateFormatVersion: '2010-09-09'
Description: SAML Identity Provider and Federated Role

Parameters:
  SAMLMetadataDocument:
    Type: String
    Description: The SAML metadata document XML content

Resources:
  SAMLProvider:
    Type: AWS::IAM::SAMLProvider
    Properties:
      Name: MyCompany-SSO
      SamlMetadataDocument: !Ref SAMLMetadataDocument
      Tags:
        - Key: Purpose
          Value: FederatedAuthentication

  SAMLFederatedRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: SAML-Developers-Role
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Federated: !Ref SAMLProvider
            Action: sts:AssumeRoleWithSAML
            Condition:
              StringEquals:
                SAML:aud: https://signin.aws.amazon.com/saml
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/ReadOnlyAccess
      Tags:
        - Key: Purpose
          Value: FederatedAccess

Outputs:
  SAMLProviderArn:
    Description: ARN of the SAML provider
    Value: !Ref SAMLProvider
  FederatedRoleArn:
    Description: ARN of the federated role
    Value: !GetAtt SAMLFederatedRole.Arn

Deploy the template (replace the metadata content or use a file):

aws cloudformation deploy \
    --template-file saml-provider.yaml \
    --stack-name saml-federation-stack \
    --parameter-overrides SAMLMetadataDocument="$(cat saml-metadata.xml)" \
    --capabilities CAPABILITY_NAMED_IAM \
    --region us-east-1
Terraform (optional)

Create a SAML provider and federated role using Terraform:

# Read the SAML metadata document from a local file
data "local_file" "saml_metadata" {
  filename = "${path.module}/saml-metadata.xml"
}

# Create the SAML identity provider
resource "aws_iam_saml_provider" "company_sso" {
  name                   = "MyCompany-SSO"
  saml_metadata_document = data.local_file.saml_metadata.content

  tags = {
    Purpose = "FederatedAuthentication"
  }
}

# Create a trust policy for SAML federation
data "aws_iam_policy_document" "saml_trust" {
  statement {
    effect = "Allow"

    principals {
      type        = "Federated"
      identifiers = [aws_iam_saml_provider.company_sso.arn]
    }

    actions = ["sts:AssumeRoleWithSAML"]

    condition {
      test     = "StringEquals"
      variable = "SAML:aud"
      values   = ["https://signin.aws.amazon.com/saml"]
    }
  }
}

# Create the federated role
resource "aws_iam_role" "saml_developers" {
  name               = "SAML-Developers-Role"
  assume_role_policy = data.aws_iam_policy_document.saml_trust.json

  tags = {
    Purpose = "FederatedAccess"
  }
}

# Attach a managed policy to the role
resource "aws_iam_role_policy_attachment" "saml_developers_readonly" {
  role       = aws_iam_role.saml_developers.name
  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}

output "saml_provider_arn" {
  description = "ARN of the SAML provider"
  value       = aws_iam_saml_provider.company_sso.arn
}

output "federated_role_arn" {
  description = "ARN of the federated role"
  value       = aws_iam_role.saml_developers.arn
}

Verification

After creating the SAML provider, verify it exists:

  1. Go to IAM > Identity providers in the AWS Console
  2. Confirm your SAML provider is listed with the correct name
  3. Click on the provider to verify the metadata is correctly configured and note the Valid until date
CLI verification commands

List all SAML providers in your account:

aws iam list-saml-providers --region us-east-1

Expected output:

{
    "SAMLProviderList": [
        {
            "Arn": "arn:aws:iam::123456789012:saml-provider/MyCompany-SSO",
            "ValidUntil": "2025-06-05T22:45:14Z",
            "CreateDate": "2024-06-05T22:45:14Z"
        }
    ]
}

Get detailed information about a specific provider:

aws iam get-saml-provider \
    --saml-provider-arn arn:aws:iam::123456789012:saml-provider/MyCompany-SSO \
    --region us-east-1

Additional Resources

Notes

  • Metadata expiration: SAML metadata documents have expiration dates. Monitor the ValidUntil date and update your provider before it expires
  • Multiple providers: You can have multiple SAML providers in one AWS account for different use cases or IdPs
  • Role mapping: Configure your IdP to pass the appropriate role ARN in the SAML assertion so users assume the correct role
  • Session duration: By default, SAML federated sessions last 1 hour. You can configure longer durations (up to 12 hours) in the IAM role settings
  • Consider AWS IAM Identity Center: For new implementations, AWS recommends IAM Identity Center (formerly AWS SSO) as it provides a simpler setup and better integration with AWS Organizations
  • Retire static credentials: Once SAML federation is working, plan to retire long-lived IAM access keys for interactive users to improve your security posture