選取您的 Cookie 偏好設定

我們使用提供自身網站和服務所需的基本 Cookie 和類似工具。我們使用效能 Cookie 收集匿名統計資料,以便了解客戶如何使用我們的網站並進行改進。基本 Cookie 無法停用,但可以按一下「自訂」或「拒絕」以拒絕效能 Cookie。

如果您同意,AWS 與經核准的第三方也會使用 Cookie 提供實用的網站功能、記住您的偏好設定,並顯示相關內容,包括相關廣告。若要接受或拒絕所有非必要 Cookie,請按一下「接受」或「拒絕」。若要進行更詳細的選擇,請按一下「自訂」。

偏好設定
聯絡我們
意見回饋
AWS Documentation
建立 AWS 帳戶

CreateSAMLProvider

PDF
焦點模式
CreateSAMLProvider - AWS Identity and Access Management
Request ParametersResponse ElementsErrorsExamplesSee Also
此頁面尚未翻譯為您的語言。 請求翻譯

Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0.

The SAML provider resource that you create with this operation can be used as a principal in an IAM role's trust policy. Such a policy can enable federated users who sign in using the SAML IdP to assume the role. You can create an IAM role that supports Web-based single sign-on (SSO) to the AWS Management Console or one that supports API access to AWS.

When you create the SAML provider resource, you upload a SAML metadata document that you get from your IdP. That document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that the IdP sends. You must generate the metadata document using the identity management software that is used as your organization's IdP.

Note

This operation requires Signature Version 4.

For more information, see Enabling SAML 2.0 federated users to access the AWS Management Console and About SAML 2.0-based federation in the IAM User Guide.

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

AddPrivateKey

The private key generated from your external identity provider. The private key must be a .pem file that uses AES-GCM or AES-CBC encryption algorithm to decrypt SAML assertions.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 16384.

Pattern: [\u0009\u000A\u000D\u0020-\u00FF]+

Required: No

AssertionEncryptionMode

Specifies the encryption setting for the SAML provider.

Type: String

Valid Values: Required | Allowed

Required: No

Name

The name of the provider to create.

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: [\w._-]+

Required: Yes

SAMLMetadataDocument

An XML document generated by an identity provider (IdP) that supports SAML 2.0. The document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. You must generate the metadata document using the identity management software that is used as your organization's IdP.

For more information, see About SAML 2.0-based federation in the IAM User Guide

Type: String

Length Constraints: Minimum length of 1000. Maximum length of 10000000.

Required: Yes

Tags.member.N

A list of tags that you want to attach to the new IAM SAML provider. Each tag consists of a key name and an associated value. For more information about tagging, see Tagging IAM resources in the IAM User Guide.

Note

If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created.

Type: Array of Tag objects

Array Members: Maximum number of 50 items.

Required: No

Response Elements

The following elements are returned by the service.

SAMLProviderArn

The Amazon Resource Name (ARN) of the new SAML provider resource in IAM.

Type: String

Length Constraints: Minimum length of 20. Maximum length of 2048.

Tags.member.N

A list of tags that are attached to the new IAM SAML provider. The returned list of tags is sorted by tag key. For more information about tagging, see Tagging IAM resources in the IAM User Guide.

Type: Array of Tag objects

Array Members: Maximum number of 50 items.

Errors

For information about the errors that are common to all actions, see Common Errors.

ConcurrentModification

The request was rejected because multiple requests to change this object were submitted simultaneously. Wait a few minutes and submit your request again.

HTTP Status Code: 409

EntityAlreadyExists

The request was rejected because it attempted to create a resource that already exists.

HTTP Status Code: 409

InvalidInput

The request was rejected because an invalid or out-of-range value was supplied for an input parameter.

HTTP Status Code: 400

LimitExceeded

The request was rejected because it attempted to create resources beyond the current AWS account limits. The error message describes the limit exceeded.

HTTP Status Code: 409

ServiceFailure

The request processing has failed because of an unknown error, exception or failure.

HTTP Status Code: 500

Examples

Example

This example illustrates one usage of CreateSAMLProvider.

Sample Request

https://iam.amazonaws.com/?Action=CreateSAMLProvider
&AddPrivateKey=HOIiDq6o3PFd9tkdrzgCG41zJu2tdWEwPQwrzb+ettT+pwWfwBoSr6WnuSEropxeBn+gN/AuX24cRG0HjsUP2dcs
&AssertionEncryptionMode=Required
&Name=MyUniversity
&SAMLProviderDocument=VGhpcyBpcyB3aGVyZSB5b3UgcHV0IHRoZSBTQU1MIHByb3ZpZGVyIG1ldGFkYXRhIGRvY3VtZW50
LCBCYXNlNjQtZW5jb2RlZCBpbnRvIGEgYmlnIHN0cmluZy4=
&Version=2010-05-08
&AUTHPARAMS

Sample Response

<CreateSAMLProviderResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
  <CreateSAMLProviderResult>
    <SAMLProviderArn>arn:aws:iam::123456789012:saml-provider/MyUniversity</SAMLProviderArn>
  </CreateSAMLProviderResult>
  <ResponseMetadata>
    <RequestId>29f47818-99f5-11e1-a4c3-27EXAMPLE804</RequestId>
  </ResponseMetadata>
</CreateSAMLProviderResponse>

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following:

在本頁面

隱私權網站條款Cookie 偏好設定
© 2025, Amazon Web Services, Inc.或其附屬公司。保留所有權利。