选择您的 Cookie 首选项

我们使用必要 Cookie 和类似工具提供我们的网站和服务。我们使用性能 Cookie 收集匿名统计数据,以便我们可以了解客户如何使用我们的网站并进行改进。必要 Cookie 无法停用,但您可以单击“自定义”或“拒绝”来拒绝性能 Cookie。

如果您同意,AWS 和经批准的第三方还将使用 Cookie 提供有用的网站功能、记住您的首选项并显示相关内容,包括相关广告。要接受或拒绝所有非必要 Cookie,请单击“接受”或“拒绝”。要做出更详细的选择,请单击“自定义”。

首选项
联系我们
反馈
AWS Documentation
创建 AWS 账户

AWS::IAM::SAMLProvider

RSS
聚焦模式
AWS::IAM::SAMLProvider - AWS CloudFormation
SyntaxPropertiesReturn values
此页面尚未翻译为您的语言。 请求翻译
筛选器视图

Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0.

The SAML provider resource that you create with this operation can be used as a principal in an IAM role's trust policy. Such a policy can enable federated users who sign in using the SAML IdP to assume the role. You can create an IAM role that supports Web-based single sign-on (SSO) to the AWS Management Console or one that supports API access to AWS.

When you create the SAML provider resource, you upload a SAML metadata document that you get from your IdP. That document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that the IdP sends. You must generate the metadata document using the identity management software that is used as your organization's IdP.

Note

This operation requires Signature Version 4.

For more information, see Enabling SAML 2.0 federated users to access the AWS Management Console and About SAML 2.0-based federation in the IAM User Guide.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::IAM::SAMLProvider",
  "Properties" : {
      "AddPrivateKey" : String,
      "AssertionEncryptionMode" : String,
      "Name" : String,
      "PrivateKeyList" : [ SAMLPrivateKey, ... ],
      "RemovePrivateKey" : String,
      "SamlMetadataDocument" : String,
      "Tags" : [ Tag, ... ]
    }
}

YAML

Type: AWS::IAM::SAMLProvider
Properties:
  AddPrivateKey: String
  AssertionEncryptionMode: String
  Name: String
  PrivateKeyList: 
    - SAMLPrivateKey
  RemovePrivateKey: String
  SamlMetadataDocument: String
  Tags: 
    - Tag

Properties

AddPrivateKey

Specifies the new private key from your external identity provider. The private key must be a .pem file that uses AES-GCM or AES-CBC encryption algorithm to decrypt SAML assertions.

Required: No

Type: String

Pattern: [\u0009\u000A\u000D\u0020-\u00FF]+

Minimum: 1

Maximum: 16384

Update requires: Replacement

AssertionEncryptionMode

Specifies the encryption setting for the SAML provider.

Required: No

Type: String

Allowed values: Allowed | Required

Update requires: No interruption

Name

The name of the provider to create.

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

Required: No

Type: String

Pattern: [\w._-]+

Minimum: 1

Maximum: 128

Update requires: Replacement

PrivateKeyList

The private key metadata for the SAML provider.

Required: No

Type: Array of SAMLPrivateKey

Maximum: 2

Update requires: No interruption

RemovePrivateKey

The Key ID of the private key to remove.

Required: No

Type: String

Pattern: [A-Z0-9]+

Minimum: 22

Maximum: 64

Update requires: Replacement

SamlMetadataDocument

An XML document generated by an identity provider (IdP) that supports SAML 2.0. The document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. You must generate the metadata document using the identity management software that is used as your organization's IdP.

For more information, see About SAML 2.0-based federation in the IAM User Guide

Required: No

Type: String

Minimum: 1000

Maximum: 10000000

Update requires: No interruption

Tags

A list of tags that you want to attach to the new IAM SAML provider. Each tag consists of a key name and an associated value. For more information about tagging, see Tagging IAM resources in the IAM User Guide.

Note

If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created.

Required: No

Type: Array of Tag

Maximum: 50

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ARN.

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

Arn

Returns the Amazon Resource Name (ARN) for the specified AWS::IAM::SAMLProvider resource.

SamlProviderUUID

The unique identifier assigned to the SAML provider.

本页内容

隐私网站条款Cookie 首选项
© 2025, Amazon Web Services, Inc. 或其附属公司。保留所有权利。