Trusted token issuer configuration settings
The following sections describe the settings required to set up and use a trusted token issuer.
OIDC discovery endpoint URL (issuer URL)
When you add a trusted token issuer to the IAM Identity Center console, you must specify
the OIDC discovery endpoint URL. This URL is commonly referred to by its
relative URL, /.well-known/openid-configuration. In the IAM Identity Center
console, this URL is called the issuer URL.
Note
You must paste the URL of the discovery endpoint up until
and without
.well-known/openid-configuration. If
.well-known/openid-configuration is included in the
URL, the trusted token issuer configuration won't work. Because IAM Identity Center
doesn't validate this URL, if the URL isn't correctly formed, the
trusted token issuer setup will fail without notification.
The OIDC discovery endpoint URL must be reachable via ports 80 and 443 only.
IAM Identity Center uses this URL to obtain additional information about the trusted token issuer. For example, IAM Identity Center uses this URL to obtain the information required to verify the tokens that the trusted token issuer generates. When you add a trusted token issuer to IAM Identity Center, you must specify this URL. To find the URL, see the documentation for the OAuth 2.0 authorization server provider that you use to generate tokens for your application, or contact the provider directly for assistance.
Attribute mapping
Attribute mappings enable IAM Identity Center to match the user that is represented in a token issued by a trusted token issuer to a single user in IAM Identity Center. You must specify the attribute mapping when you add the trusted token issuer to IAM Identity Center. This attribute mapping is used in a claim in the token that is generated by the trusted token issuer. The value in the claim is used to search IAM Identity Center. The search uses the specified attribute to retrieve a single user in IAM Identity Center, who will be used as the user within AWS. The claim that you choose must be mapped to one attribute in a fixed list of available attributes in the IAM Identity Center identity store. You can choose one of the following IAM Identity Center identity store attributes: user name, email, and external ID. The value for the attribute that you specify in IAM Identity Center must be unique for each user.
Aud claim
An aud claim identifies the audience (recipients) for which a token is intended. When the application requesting access authenticates through an identity provider that is not federated to IAM Identity Center, that identity provider must be set up as a trusted token issuer. The application that receives the access request (the receiving application) must exchange the token that is generated by the trusted token issuer for a token that is generated by IAM Identity Center.
For information about how to obtain the aud claim values for the receiving application as they are registered in the trusted token issuer, see the documentation for your trusted token issuer or contact the trusted token issuer administrator for assistance.
