Manage sign-in and attribute use for all identity source types
IAM Identity Center enables administrators to control AWS access portal use, to set session durations for users in the AWS access portal and your applications, and to use attributes for access control. These capabilities work with an Identity Center directory or external identity provider as your identity source.
Note
If you're using Active Directory as an identity source for IAM Identity Center, session management isn't supported.
Supported user and group attributes in IAM Identity Center
Attributes are pieces of information that help you define and identify individual user
or group objects, such as name
, email
, or
members
. IAM Identity Center supports most commonly used attributes regardless if they're
entered manually during user creation or when automatically provisioned using a
synchronization engine such as defined in the System for Cross-Domain Identity
Management (SCIM) specification. For more information about this specification, see
https://tools.ietf.org/html/rfc7642
Because IAM Identity Center supports SCIM for automatic provisioning use cases, the Identity Center directory supports all of the same user and group attributes that are listed in the SCIM specification, with a few exceptions. The following sections describe which attributes aren't supported by IAM Identity Center.
User objects
All attributes from the SCIM user schema (https://tools.ietf.org/html/rfc7643#section-8.3
-
password
-
ims
-
photos
-
entitlements
-
x509Certificates
All sub-attributes for users are supported, except for the following:
-
'display'
sub-attribute of any multi-valued attribute (For example,emails
orphoneNumbers
) -
'version'
sub-attribute of'meta'
attribute
Group objects
All attributes from the SCIM group schema (https://tools.ietf.org/html/rfc7643#section-8.4
All sub-attributes for groups are supported, except for the following:
-
'display'
sub-attribute of any multi-valued attribute (For example, members).