Manage sign-in and attribute use for all identity source types - AWS IAM Identity Center

Manage sign-in and attribute use for all identity source types

IAM Identity Center enables administrators to control AWS access portal use, to set session durations for users in the AWS access portal and your applications, and to use attributes for access control. These capabilities work with an Identity Center directory or external identity provider as your identity source.

Note

If you're using Active Directory as an identity source for IAM Identity Center, session management isn't supported.

Supported user and group attributes in IAM Identity Center

Attributes are pieces of information that help you define and identify individual user or group objects, such as name, email, or members. IAM Identity Center supports most commonly used attributes regardless if they're entered manually during user creation or when automatically provisioned using a synchronization engine such as defined in the System for Cross-Domain Identity Management (SCIM) specification. For more information about this specification, see https://tools.ietf.org/html/rfc7642. For more information about manual and automatic provisioning, see Provisioning when users come from an external IdP.

Because IAM Identity Center supports SCIM for automatic provisioning use cases, the Identity Center directory supports all of the same user and group attributes that are listed in the SCIM specification, with a few exceptions. The following sections describe which attributes aren't supported by IAM Identity Center.

User objects

All attributes from the SCIM user schema (https://tools.ietf.org/html/rfc7643#section-8.3) are supported in the IAM Identity Center identity store, except for the following:

  • password

  • ims

  • photos

  • entitlements

  • x509Certificates

All sub-attributes for users are supported, except for the following:

  • 'display' sub-attribute of any multi-valued attribute (For example, emails or phoneNumbers)

  • 'version' sub-attribute of 'meta' attribute

Group objects

All attributes from the SCIM group schema (https://tools.ietf.org/html/rfc7643#section-8.4) are supported.

All sub-attributes for groups are supported, except for the following:

  • 'display' sub-attribute of any multi-valued attribute (For example, members).