From 1951b55fa6f83a569f84ee9879dae69c73926433 Mon Sep 17 00:00:00 2001 From: dewi-tik Date: Fri, 31 Oct 2025 14:29:10 +0000 Subject: [PATCH 1/7] WIP --- .../cloud-providers/aws/index.mdx | 335 ++++++++++++------ 1 file changed, 223 insertions(+), 112 deletions(-) diff --git a/website/integrations/cloud-providers/aws/index.mdx b/website/integrations/cloud-providers/aws/index.mdx index 7276cc75a0d1..f7a5edf3ef8a 100644 --- a/website/integrations/cloud-providers/aws/index.mdx +++ b/website/integrations/cloud-providers/aws/index.mdx @@ -4,201 +4,312 @@ sidebar_label: Amazon Web Services support_level: authentik --- +import TabItem from "@theme/TabItem"; +import Tabs from "@theme/Tabs"; + ## What is AWS -> Amazon Web Services (AWS) is the world's most comprehensive and broadly adopted cloud, with more than 200 fully featured services available from data centers globally. Millions of customers—including the fastest-growing startups, largest enterprises, and leading government agencies—are using AWS to lower costs, increase security, become more agile, and innovate faster. +> AWS, or Amazon Web Services, is a comprehensive cloud computing platform. It provides a wide array of on-demand IT services like computing power, storage, and databases, allowing businesses to build and run applications, and manage infrastructure through the internet. > -> -- https://www.aboutamazon.com/what-we-do/amazon-web-services +> -- https://aws.amazon.com/what-is-aws ## Preparation The following placeholders are used in this guide: - `authentik.company` is the FQDN of the authentik installation. -- `123412341234` is your AWS account ID. -:::info +:::note This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. ::: -import TabItem from "@theme/TabItem"; -import Tabs from "@theme/Tabs"; +## Configration methods + +There are several methods to integrate authentik with AWS. Below are the steps to configure each method. - - +:::note +IAM Identity Center needs a user pre-provisioned manually or via SCIM. +::: -### Prerequisites +:::note +SCIM Provisioning is only possible in conjunction with IAM Identity Center, not Classic IAM. +::: -- An AWS account with permissions to create IAM roles and identity providers -- An authentik instance with administrator access + + -### authentik configuration +## authentik configuration -To support the integration of AWS with authentik using the classic IAM method, you need to create an application/provider pair and property mappings in authentik. +To support the integration of AWS with authentik via the Classic IAM method, you need to create two property mappings and an application/provider pair in authentik. -#### Create property mappings +### Create property mappings 1. Log in to authentik as an administrator and open the authentik Admin interface. -2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create two **SAML Provider Property Mapping**s with the following settings: - - **Role Mapping:** - - **Name**: Choose a descriptive name - - **SAML Attribute Name**: `https://aws.amazon.com/SAML/Attributes/Role` - - **Friendly Name**: Leave blank - - **Expression**: Choose one of these options: +2. Navigate to **Customization** > **Property Mappings**, click **Create**, select **SAML Provider Property Mappings**, and click **Next**. +3. Configure the first mapping for the user's _role assignment_: + - **Name**: provide a descriptive name + - **SAML Attribute Name**: `https://aws.amazon.com/SAML/Attributes/Role` + - **Friendly Name**: Leave blank + - **Expression**: Choose one of these options: For a static role: ```python - return "arn:aws:iam::123412341234:role/saml_role,arn:aws:iam::123412341234:saml-provider/authentik" + return "arn:aws:iam:::role/saml_role,arn:aws:iam:::saml-provider/authentik" ``` For role assignment based on group membership: ```python role_name = user.group_attributes().get("aws_role", "") - return f"arn:aws:iam::123412341234:role/{role_name},arn:aws:iam::123412341234:saml-provider/authentik" + return f"arn:aws:iam:::role/{role_name},arn:aws:iam:::saml-provider/authentik" ``` - For multiple role choices: + For multiple roles: ```python return [ - "arn:aws:iam::123412341234:role/role_a,arn:aws:iam::123412341234:saml-provider/authentik", - "arn:aws:iam::123412341234:role/role_b,arn:aws:iam::123412341234:saml-provider/authentik", - "arn:aws:iam::123412341234:role/role_c,arn:aws:iam::123412341234:saml-provider/authentik", + "arn:aws:iam:::role/role_a,arn:aws:iam:::saml-provider/authentik", + "arn:aws:iam:::role/role_b,arn:aws:iam:::saml-provider/authentik", + "arn:aws:iam:::role/role_c,arn:aws:iam:::saml-provider/authentik", ] ``` - - **Session Name Mapping:** - - **Name**: Choose a descriptive name - - **SAML Attribute Name**: `https://aws.amazon.com/SAML/Attributes/RoleSessionName` - - **Friendly Name**: Leave blank - - **Expression**: `return user.username` +4. Click **Finish** to save. Then, repeat the process to create a mapping for the user's _session name_: + - **Name**: provide a descriptive name + - **SAML Attribute Name**: `https://aws.amazon.com/SAML/Attributes/RoleSessionName` + - **Friendly Name**: Leave blank + - **Expression**: `return user.username` + +5. Click **Finish**. -#### Create an application and provider in authentik +### Create an application and provider in authentik 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.) - -- **Application**: provide a descriptive name (e.g. "AWS"), an optional group for the type of application, the policy engine mode, and optional UI settings. The **slug** will be used in URLs and should match the `aws-slug` placeholder defined earlier. -- **Choose a Provider type**: select **SAML Provider** as the provider type. -- **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings: - - Set the **ACS URL** to `https://signin.aws.amazon.com/saml` - - Set the **Audience** to `urn:amazon:webservices` - - Under **Advanced protocol settings**, add both property mappings you created in the previous section -- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. + - **Application**: provide a descriptive name (e.g. "AWS"), an optional group for the type of application, the policy engine mode, and optional UI settings. The **slug** will be used in URLs and should match the `aws-slug` placeholder defined earlier. + - **Choose a Provider type**: select **SAML Provider** as the provider type. + - **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings: + - Set the **ACS URL** to `https://signin.aws.amazon.com/saml` + - Set the **Audience** to `urn:amazon:webservices` + - Under **Advanced protocol settings**, add both property mappings you created in the previous section + - NAME ID EDIT + - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. 3. Click **Submit** to save the new application and provider. -4. Download the **Metadata file** from the provider's page. -### AWS configuration +:::note +The NameID field of type email is matched in AWS against the AWS username attribute, not the email attribute. +::: + +### Download metadata file + +1. Log into authentik as an administrator and open the authentik Admin interface. +2. Navigate to **Applications** > **Providers** and click on the name of the newly created AWS provider. +3. Under **Related objects** > **Metadata**, click **Download**. This metadata file will be required in the next section. + +## AWS configuration -1. Log in to the AWS Management Console as an administrator -2. Create an IAM role with the desired permissions and note the ARN -3. Navigate to [IAM Identity Providers](https://console.aws.amazon.com/iam/home#/providers) +1. Log in to the AWS Management Console as an administrator that has permissions to create IAM roles and identity providers. +2. Create an IAM role with the desired permissions and note the ARN. +3. Navigate to [IAM Identity Providers](https://console.aws.amazon.com/iam/home#/providers). 4. Click **Create Provider** and configure: - - Select **SAML** as the provider type - - Upload the metadata file from authentik -5. Add the property mappings to the SAML Provider -6. Create an application and assign the appropriate policies -7. Connect the provider to your application + - Select **SAML** as the provider type. + - Upload the metadata file from authentik. +5. Add the property mappings to the SAML Provider. +6. Create an application and assign the appropriate policies. +7. Connect the provider to your application. - -### Prerequisites + + +## Prerequisites - An AWS account with IAM Identity Center enabled -- An authentik instance with administrator access -- A certificate for signing SAML assertions (you can use authentik's default or provide your own) -### authentik configuration +## Download AWS service Provider metadata file + +1. Log in to the AWS Management Console as an administrator that has permissions to create IAM roles and identity providers. +2. Navigate to **IAM Identity Center** > **Settings** > **Identity Source**. +3. Click **Actions > Change identity source**. +4. Select **External Identity Provider**. +5. Click **Download metadata file** to download the **Service provider metadata** file. This file will be required in the next section. +6. Take note of the **AWS access portal sign-in URL**. This value will be required in the next section. -To support the integration of AWS with authentik using IAM Identity Center, you need to create an application/provider pair in authentik. +## authentik configuration -#### Create an application and provider in authentik +To support the integration of AWS with authentik using SAML, you need to create an application/provider pair in authentik. + +### Create an application and provider in authentik 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.) + - **Application**: provide a descriptive name (e.g. `AWS Identity Center`), an optional group for the type of application, the policy engine mode, and optional UI settings. The **slug** will be used in URLs and should match the `aws-slug` placeholder defined earlier. + - Under **UI Settings**, set the **Launch URL** to the **AWS access portal sign-in URL** copied from AWS. + - **Choose a Provider type**: select **SAML Provider from metadata** as the provider type. + - **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings: + - Upload the **Service Provider metadata** file from AWS. + - Set **Issuer** to the FQDN of your authentik deployment (e.g. `https://authentik.company`). + - Set **Service Provider Binding** to `Post`. + - Under **Advanced Protocol Settings**: + - Set an available signing certificate. + - Set **NameID Property Mapping** to `authentik default SAML Mapping: Email`. + - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. + +3. Click **Submit** to save the new application and provider. + +:::note +The NameID field of type email is matched in AWS against the AWS username attribute, not the email attribute. +::: + +### Download metadata file and signing certificate + +1. Log into authentik as an administrator and open the authentik Admin interface. +2. Navigate to **Applications** > **Providers** and click on the name of the newly created AWS provider. +3. Under **Related objects** > **Metadata**, click **Download**. This metadata file will be required in the next section. +4. Under **Related objects** > **Download signing certificate**, click **Download**. This signing certificate will be required in the next section. + +## AWS configuration + +1. Log in to the AWS Management Console as an administrator that has permissions to create IAM roles and identity providers. +2. Navigate to **IAM Identity Center** > **Settings** > **Identity Source**. +3. Click **Actions** > **Change identity source**. +4. Select **External Identity Provider**. +5. Under **Identity provider metadata** > **IdP SAML metadata**, click **Choose file**, and then upload your authentik metadata file. +6. Under **Identity provider metadata** > **IdP certificate**, click **Choose file**, and then upload your authentik signing certificate. +7. Click **Next**. +8. (todo) + + -- **Application**: provide a descriptive name (e.g. "AWS Identity Center"), an optional group for the type of application, the policy engine mode, and optional UI settings. The **slug** will be used in URLs and should match the `aws-slug` placeholder defined earlier. -- **Choose a Provider type**: select **SAML Provider from metadata** as the provider type. -- **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings: - - Upload the metadata file from AWS (obtained in AWS Configuration steps) - - Copy the **Issuer URL** to the **Audience** field - - Under **Advanced protocol settings**, select an available **Signing certificate**. -- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. + + +## Prerequisites + +- An AWS account with IAM Identity Center enabled + +:::info AWS OIDC limitations +AWS does not support direct OIDC login for the AWS Management Console. + +OIDC in AWS is mainly used for federated access to AWS resources and programmatic access, such as: + + - Machine-to-machine authentication (CI/CD pipelines, automated scripts, etc.) + - Web applications requesting temporary AWS credentials via OIDC tokens + - Service account integrations in Kubernetes clusters (like EKS OIDC provider) + +::: + +## authentik configuration + +To support the integration of AWS with authentik using OIDC, you need to create an application/provider pair in authentik. + +### Create an application and provider in authentik + +1. Log in to authentik as an administrator and open the authentik Admin interface. +2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.) + - **Application**: provide a descriptive name (e.g., `AWS-OIDC`), an optional group for the type of application, the policy engine mode, and optional UI settings. + - **Choose a Provider type**: Select OAuth2/OpenID Provider as the provider type. + - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. + - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. + - Set a `Strict` redirect URI to match the AWS resource that you want to access via OIDC. + - Select any available signing key. + - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. 3. Click **Submit** to save the new application and provider. -4. Under **Related Objects**, download both: - - The **Metadata file** - - The **Signing Certificate** -### AWS configuration +## AWS configuration -1. Navigate to **IAM Identity Center > Settings > Identity Source** -2. Click **Actions > Change identity source** -3. Select **External Identity Provider** -4. Download the **Service Provider metadata** file -5. Upload authentik's metadata file and signing certificate -6. Under **Actions > Manage Authentication**, note the AWS access portal sign-in URL -7. Update your authentik application's **Start URL** to match the AWS portal URL. +1. Log in to the AWS Management Console as an administrator that has permissions to create IAM roles and identity providers. +2. Open the [IAM Console](https://console.aws.amazon.com/iam/) and in the left sidebar under **Access Management**, click **Identity providers**. +3. Click **Add provider** and configure the following fields: + - **Provider type**: `OpenID Connect` + - **Provider URL**: `https://authentik.company/application/o//` + - **Audience**: set to the Client ID from authentik +4. Click **Add provider** +5. On the **Identity providers** page, click on the name of the provider that you just added. +6. Click **Assign role** and either create a new role or select an existing role. This will determine the AWS permissions of any user authenticated via OIDC. - -### Prerequisites + + +## Prerequisites + +- Completed IAM Identity Center (SAML) setup. + +## Enable automatic provisioning in AWS -- Completed either Classic IAM or IAM Identity Center setup -- AWS Identity Center enabled with administrator access -- authentik instance with administrator access +1. Log in to the AWS Management Console as an administrator that has permissions to modify identity sources. +2. Navigate to **IAM Identity Center** > **Settings** > **Identity Source**. +3. In the **Automatic provisioning** info box, click **Enable**. + Alternatively if automatic provisioning is already enabled, under **Identity source** click **Action** > **Manage provisioning**. +4. Take note of the **SCIM endpoint** and **Access token**. These values will be required in authentik. -### authentik configuration +## authentik configuration -To support the integration of AWS with authentik using SCIM, you need to create a SCIM provider and custom mapping in authentik. +To support the integration of AWS with authentik using SCIM, you need to create two property mappings and a SCIM provider in authentik. -#### Create property mappings +### Create property mappings 1. Log in to authentik as an administrator and open the authentik Admin interface. -2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create a **SCIM Mapping** with the following settings: - - **Name**: Choose a name lexically lower than `authentik default` (e.g. `AWS SCIM User mapping`) +2. Navigate to **Customization** > **Property Mappings**, click **Create**, select **SCIM Mapping**, and click **Next**. +3. Configure the first _user mapping_ property mapping: + - **Name**: Provide a name lexically lower than `authentik default` (e.g. `AWS SCIM User mapping`). + - **Expression**: + ```python + # This expression strips the default mapping from its 'photos' attribute, + # which is a forbidden property in AWS IAM. + return { + "photos": None, + } + ``` +4. Click **Finish** to save. Then, repeat the process to create a mapping for the user's _username_: + - **Name**: Provide a descriptive name (e.g. `AWS SCIM Username`). - **Expression**: - ```python - # This expression strips the default mapping from its 'photos' attribute, - # which is a forbidden property in AWS IAM. - return { - "photos": None, - } - ``` + ```python + # This expression maps the authentik email address attribute to the AWS username attribute. + return { + "username": request.user.email, + } + ``` + +5. Click **Finish**. -#### Create a SCIM provider in authentik +### Configure a SCIM provider in authentik 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Providers** > **Providers** and click **Create**. 3. Select **SCIM Provider** as the provider type. 4. Configure the provider with the following settings: - - Set a descriptive name - - Set **URL** to the AWS SCIM Endpoint - - Set **Token** to the AWS Access Token - - Configure user filtering as needed -5. Under **User Property Mappings**, add: - - The default mapping - - Your custom mapping -6. Add the SCIM provider to your AWS application's **Backchannel providers** - -### AWS configuration - -1. In AWS Identity Center **Settings**, locate the **Automatic Provisioning** information box -2. Click **Enable** -3. Note the provided **SCIM Endpoint** and **Access Token** - -The SCIM provider will automatically sync when users, groups, or memberships change. You can manually sync from the provider page. + - Set a descriptive name. + - Under **Protocol Settings**: + - Set **URL** to the **AWS SCIM Endpoint**. + - Set **Token** to the **AWS Access Token**. + - Set **Compatability Mode** to `AWS`. + - Optionally, if you want to test provisioning and not write any changes to AWS, enable the **Dry run mode**. + - Configure user filtering as needed. + - Under **User Property Mappings**, add the default mapping and your custom mappings. +5. Click **Finish** +6. Navigate to **Applications > Applications** and clikc the edit icon of your AWS application. +7. Set **Backchannel providers** to the AWS SCIM provider that you just created. +8. Click **Update**. + +The SCIM provider will automatically sync when users, groups, or memberships change. You can manually sync from SCIM provider page. ## Additional Resources -- [AWS IAM SAML Documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) -- [AWS IAM Identity Center Documentation](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) -- [AWS SCIM Documentation](https://docs.aws.amazon.com/singlesignon/latest/userguide/scim-profile.html) +- [AWS Docs - Create a SAML identity provider in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) +- [AWS Docs - Create an OpenID Connect (OIDC) identity provider in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html) +- [AWS Docs - What is IAM Identity Center?](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) +- [AWS Docs - Provisioning an external identity provider into IAM Identity Center using SCIM](https://docs.aws.amazon.com/singlesignon/latest/userguide/provision-automatically.html) From 3f8c0d4f18c1f61ade51e1775205f070db60a55e Mon Sep 17 00:00:00 2001 From: dewi-tik Date: Fri, 31 Oct 2025 14:49:21 +0000 Subject: [PATCH 2/7] WIP --- website/integrations/cloud-providers/aws/index.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/website/integrations/cloud-providers/aws/index.mdx b/website/integrations/cloud-providers/aws/index.mdx index f7a5edf3ef8a..59d33634752b 100644 --- a/website/integrations/cloud-providers/aws/index.mdx +++ b/website/integrations/cloud-providers/aws/index.mdx @@ -23,7 +23,7 @@ The following placeholders are used in this guide: This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. ::: -## Configration methods +## Configuration methods There are several methods to integrate authentik with AWS. Below are the steps to configure each method. @@ -218,7 +218,7 @@ To support the integration of AWS with authentik using OIDC, you need to create - **Application**: provide a descriptive name (e.g., `AWS-OIDC`), an optional group for the type of application, the policy engine mode, and optional UI settings. - **Choose a Provider type**: Select OAuth2/OpenID Provider as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. + - Note the **Client ID** and **slug** values because they will be required later. - Set a `Strict` redirect URI to match the AWS resource that you want to access via OIDC. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. @@ -293,7 +293,7 @@ To support the integration of AWS with authentik using SCIM, you need to create - Under **Protocol Settings**: - Set **URL** to the **AWS SCIM Endpoint**. - Set **Token** to the **AWS Access Token**. - - Set **Compatability Mode** to `AWS`. + - Set **Compatibility Mode** to `AWS`. - Optionally, if you want to test provisioning and not write any changes to AWS, enable the **Dry run mode**. - Configure user filtering as needed. - Under **User Property Mappings**, add the default mapping and your custom mappings. From 9a1092de056d31f6328f44eed7459504972824e6 Mon Sep 17 00:00:00 2001 From: dewi-tik Date: Fri, 31 Oct 2025 14:59:16 +0000 Subject: [PATCH 3/7] WIP --- .../cloud-providers/aws-classic/index.mdx | 179 +++++++++++++++++ .../cloud-providers/aws/index.mdx | 182 ++---------------- 2 files changed, 195 insertions(+), 166 deletions(-) create mode 100644 website/integrations/cloud-providers/aws-classic/index.mdx diff --git a/website/integrations/cloud-providers/aws-classic/index.mdx b/website/integrations/cloud-providers/aws-classic/index.mdx new file mode 100644 index 000000000000..0427b3818649 --- /dev/null +++ b/website/integrations/cloud-providers/aws-classic/index.mdx @@ -0,0 +1,179 @@ +--- +title: Integrate with Amazon Web Services (Classic IAM) +sidebar_label: Amazon Web Services (Classic IAM) +support_level: authentik +--- + +import TabItem from "@theme/TabItem"; +import Tabs from "@theme/Tabs"; + +## What is AWS + +> AWS, or Amazon Web Services, is a comprehensive cloud computing platform. It provides a wide array of on-demand IT services like computing power, storage, and databases, allowing businesses to build and run applications, and manage infrastructure through the internet. +> +> -- https://aws.amazon.com/what-is-aws + +## Preparation + +The following placeholders are used in this guide: + +- `authentik.company` is the FQDN of the authentik installation. + +:::note +This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. +::: + +## Configuration methods + +There are several methods to integrate authentik with AWS. Below are the steps to configure each method. + +:::note +SCIM Provisioning is only possible in conjunction with [IAM Identity Center](../aws/index.mdx), not Classic IAM. +::: + + + + +## authentik configuration + +To support the integration of AWS with authentik via the Classic IAM method, you need to create two property mappings and an application/provider pair in authentik. + +### Create property mappings + +1. Log in to authentik as an administrator and open the authentik Admin interface. +2. Navigate to **Customization** > **Property Mappings**, click **Create**, select **SAML Provider Property Mappings**, and click **Next**. +3. Configure the first mapping for the user's _role assignment_: + - **Name**: provide a descriptive name + - **SAML Attribute Name**: `https://aws.amazon.com/SAML/Attributes/Role` + - **Friendly Name**: Leave blank + - **Expression**: Choose one of these options: + + For a static role: + + ```python + return "arn:aws:iam:::role/saml_role,arn:aws:iam:::saml-provider/authentik" + ``` + + For role assignment based on group membership: + + ```python + role_name = user.group_attributes().get("aws_role", "") + return f"arn:aws:iam:::role/{role_name},arn:aws:iam:::saml-provider/authentik" + ``` + + For multiple roles: + + ```python + return [ + "arn:aws:iam:::role/role_a,arn:aws:iam:::saml-provider/authentik", + "arn:aws:iam:::role/role_b,arn:aws:iam:::saml-provider/authentik", + "arn:aws:iam:::role/role_c,arn:aws:iam:::saml-provider/authentik", + ] + ``` + +4. Click **Finish** to save. Then, repeat the process to create a mapping for the user's _session name_: + - **Name**: provide a descriptive name + - **SAML Attribute Name**: `https://aws.amazon.com/SAML/Attributes/RoleSessionName` + - **Friendly Name**: Leave blank + - **Expression**: `return user.username` + +5. Click **Finish**. + +### Create an application and provider in authentik + +1. Log in to authentik as an administrator and open the authentik Admin interface. +2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.) + - **Application**: provide a descriptive name (e.g. "AWS"), an optional group for the type of application, the policy engine mode, and optional UI settings. The **slug** will be used in URLs and should match the `aws-slug` placeholder defined earlier. + - **Choose a Provider type**: select **SAML Provider** as the provider type. + - **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings: + - Set the **ACS URL** to `https://signin.aws.amazon.com/saml` + - Set the **Audience** to `urn:amazon:webservices` + - Under **Advanced protocol settings**, add both property mappings you created in the previous section + - NAME ID EDIT + - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. + +3. Click **Submit** to save the new application and provider. + +:::note +The NameID field of type email is matched in AWS against the AWS username attribute, not the email attribute. +::: + +### Download metadata file + +1. Log into authentik as an administrator and open the authentik Admin interface. +2. Navigate to **Applications** > **Providers** and click on the name of the newly created AWS provider. +3. Under **Related objects** > **Metadata**, click **Download**. This metadata file will be required in the next section. + +## AWS configuration + +1. Log in to the AWS Management Console as an administrator that has permissions to create IAM roles and identity providers. +2. Create an IAM role with the desired permissions and note the ARN. +3. Navigate to [IAM Identity Providers](https://console.aws.amazon.com/iam/home#/providers). +4. Click **Create Provider** and configure: + - Select **SAML** as the provider type. + - Upload the metadata file from authentik. +5. Add the property mappings to the SAML Provider. +6. Create an application and assign the appropriate policies. +7. Connect the provider to your application. + + + + + +## Prerequisites + +- An AWS account with IAM Identity Center enabled + +:::info AWS OIDC limitations +AWS does not support direct OIDC login for the AWS Management Console. + +OIDC in AWS is mainly used for federated access to AWS resources and programmatic access, such as: + + - Machine-to-machine authentication (CI/CD pipelines, automated scripts, etc.) + - Web applications requesting temporary AWS credentials via OIDC tokens + - Service account integrations in Kubernetes clusters (like EKS OIDC provider) + +::: + +## authentik configuration + +To support the integration of AWS with authentik using OIDC, you need to create an application/provider pair in authentik. + +### Create an application and provider in authentik + +1. Log in to authentik as an administrator and open the authentik Admin interface. +2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.) + - **Application**: provide a descriptive name (e.g., `AWS-OIDC`), an optional group for the type of application, the policy engine mode, and optional UI settings. + - **Choose a Provider type**: Select OAuth2/OpenID Provider as the provider type. + - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. + - Note the **Client ID** and **slug** values because they will be required later. + - Set a `Strict` redirect URI to match the AWS resource that you want to access via OIDC. + - Select any available signing key. + - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. + +3. Click **Submit** to save the new application and provider. + +## AWS configuration + +1. Log in to the AWS Management Console as an administrator that has permissions to create IAM roles and identity providers. +2. Open the [IAM Console](https://console.aws.amazon.com/iam/) and in the left sidebar under **Access Management**, click **Identity providers**. +3. Click **Add provider** and configure the following fields: + - **Provider type**: `OpenID Connect` + - **Provider URL**: `https://authentik.company/application/o//` + - **Audience**: set to the Client ID from authentik +4. Click **Add provider** +5. On the **Identity providers** page, click on the name of the provider that you just added. +6. Click **Assign role** and either create a new role or select an existing role. This will determine the AWS permissions of any user authenticated via OIDC. + + + + +## Resources + +- [AWS Docs - Create a SAML identity provider in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) +- [AWS Docs - Create an OpenID Connect (OIDC) identity provider in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html) diff --git a/website/integrations/cloud-providers/aws/index.mdx b/website/integrations/cloud-providers/aws/index.mdx index 59d33634752b..b462e7640eb6 100644 --- a/website/integrations/cloud-providers/aws/index.mdx +++ b/website/integrations/cloud-providers/aws/index.mdx @@ -1,6 +1,6 @@ --- -title: Integrate with Amazon Web Services -sidebar_label: Amazon Web Services +title: Integrate with Amazon Web Services (IAM Identity Centre) +sidebar_label: Amazon Web Services (IAM Identity Centre) support_level: authentik --- @@ -35,107 +35,13 @@ IAM Identity Center needs a user pre-provisioned manually or via SCIM. SCIM Provisioning is only possible in conjunction with IAM Identity Center, not Classic IAM. ::: - - +## SAML Configuration -## authentik configuration - -To support the integration of AWS with authentik via the Classic IAM method, you need to create two property mappings and an application/provider pair in authentik. - -### Create property mappings - -1. Log in to authentik as an administrator and open the authentik Admin interface. -2. Navigate to **Customization** > **Property Mappings**, click **Create**, select **SAML Provider Property Mappings**, and click **Next**. -3. Configure the first mapping for the user's _role assignment_: - - **Name**: provide a descriptive name - - **SAML Attribute Name**: `https://aws.amazon.com/SAML/Attributes/Role` - - **Friendly Name**: Leave blank - - **Expression**: Choose one of these options: - - For a static role: - - ```python - return "arn:aws:iam:::role/saml_role,arn:aws:iam:::saml-provider/authentik" - ``` - - For role assignment based on group membership: - - ```python - role_name = user.group_attributes().get("aws_role", "") - return f"arn:aws:iam:::role/{role_name},arn:aws:iam:::saml-provider/authentik" - ``` - - For multiple roles: - - ```python - return [ - "arn:aws:iam:::role/role_a,arn:aws:iam:::saml-provider/authentik", - "arn:aws:iam:::role/role_b,arn:aws:iam:::saml-provider/authentik", - "arn:aws:iam:::role/role_c,arn:aws:iam:::saml-provider/authentik", - ] - ``` - -4. Click **Finish** to save. Then, repeat the process to create a mapping for the user's _session name_: - - **Name**: provide a descriptive name - - **SAML Attribute Name**: `https://aws.amazon.com/SAML/Attributes/RoleSessionName` - - **Friendly Name**: Leave blank - - **Expression**: `return user.username` - -5. Click **Finish**. - -### Create an application and provider in authentik - -1. Log in to authentik as an administrator and open the authentik Admin interface. -2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.) - - **Application**: provide a descriptive name (e.g. "AWS"), an optional group for the type of application, the policy engine mode, and optional UI settings. The **slug** will be used in URLs and should match the `aws-slug` placeholder defined earlier. - - **Choose a Provider type**: select **SAML Provider** as the provider type. - - **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings: - - Set the **ACS URL** to `https://signin.aws.amazon.com/saml` - - Set the **Audience** to `urn:amazon:webservices` - - Under **Advanced protocol settings**, add both property mappings you created in the previous section - - NAME ID EDIT - - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. - -3. Click **Submit** to save the new application and provider. - -:::note -The NameID field of type email is matched in AWS against the AWS username attribute, not the email attribute. -::: - -### Download metadata file - -1. Log into authentik as an administrator and open the authentik Admin interface. -2. Navigate to **Applications** > **Providers** and click on the name of the newly created AWS provider. -3. Under **Related objects** > **Metadata**, click **Download**. This metadata file will be required in the next section. - -## AWS configuration - -1. Log in to the AWS Management Console as an administrator that has permissions to create IAM roles and identity providers. -2. Create an IAM role with the desired permissions and note the ARN. -3. Navigate to [IAM Identity Providers](https://console.aws.amazon.com/iam/home#/providers). -4. Click **Create Provider** and configure: - - Select **SAML** as the provider type. - - Upload the metadata file from authentik. -5. Add the property mappings to the SAML Provider. -6. Create an application and assign the appropriate policies. -7. Connect the provider to your application. - - - - - -## Prerequisites +### Prerequisites - An AWS account with IAM Identity Center enabled -## Download AWS service Provider metadata file +### Download AWS service Provider metadata file 1. Log in to the AWS Management Console as an administrator that has permissions to create IAM roles and identity providers. 2. Navigate to **IAM Identity Center** > **Settings** > **Identity Source**. @@ -144,11 +50,11 @@ The NameID field of type email is matched in AWS against the AWS username attrib 5. Click **Download metadata file** to download the **Service provider metadata** file. This file will be required in the next section. 6. Take note of the **AWS access portal sign-in URL**. This value will be required in the next section. -## authentik configuration +### authentik configuration To support the integration of AWS with authentik using SAML, you need to create an application/provider pair in authentik. -### Create an application and provider in authentik +#### Create an application and provider in authentik 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.) @@ -170,14 +76,14 @@ To support the integration of AWS with authentik using SAML, you need to create The NameID field of type email is matched in AWS against the AWS username attribute, not the email attribute. ::: -### Download metadata file and signing certificate +#### Download metadata file and signing certificate 1. Log into authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Providers** and click on the name of the newly created AWS provider. 3. Under **Related objects** > **Metadata**, click **Download**. This metadata file will be required in the next section. 4. Under **Related objects** > **Download signing certificate**, click **Download**. This signing certificate will be required in the next section. -## AWS configuration +### AWS configuration 1. Log in to the AWS Management Console as an administrator that has permissions to create IAM roles and identity providers. 2. Navigate to **IAM Identity Center** > **Settings** > **Identity Source**. @@ -188,64 +94,13 @@ The NameID field of type email is matched in AWS against the AWS username attrib 7. Click **Next**. 8. (todo) - +## SCIM Configuration - - -## Prerequisites - -- An AWS account with IAM Identity Center enabled - -:::info AWS OIDC limitations -AWS does not support direct OIDC login for the AWS Management Console. - -OIDC in AWS is mainly used for federated access to AWS resources and programmatic access, such as: - - - Machine-to-machine authentication (CI/CD pipelines, automated scripts, etc.) - - Web applications requesting temporary AWS credentials via OIDC tokens - - Service account integrations in Kubernetes clusters (like EKS OIDC provider) - -::: - -## authentik configuration - -To support the integration of AWS with authentik using OIDC, you need to create an application/provider pair in authentik. - -### Create an application and provider in authentik - -1. Log in to authentik as an administrator and open the authentik Admin interface. -2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.) - - **Application**: provide a descriptive name (e.g., `AWS-OIDC`), an optional group for the type of application, the policy engine mode, and optional UI settings. - - **Choose a Provider type**: Select OAuth2/OpenID Provider as the provider type. - - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - - Note the **Client ID** and **slug** values because they will be required later. - - Set a `Strict` redirect URI to match the AWS resource that you want to access via OIDC. - - Select any available signing key. - - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. - -3. Click **Submit** to save the new application and provider. - -## AWS configuration - -1. Log in to the AWS Management Console as an administrator that has permissions to create IAM roles and identity providers. -2. Open the [IAM Console](https://console.aws.amazon.com/iam/) and in the left sidebar under **Access Management**, click **Identity providers**. -3. Click **Add provider** and configure the following fields: - - **Provider type**: `OpenID Connect` - - **Provider URL**: `https://authentik.company/application/o//` - - **Audience**: set to the Client ID from authentik -4. Click **Add provider** -5. On the **Identity providers** page, click on the name of the provider that you just added. -6. Click **Assign role** and either create a new role or select an existing role. This will determine the AWS permissions of any user authenticated via OIDC. - - - - - -## Prerequisites +### Prerequisites - Completed IAM Identity Center (SAML) setup. -## Enable automatic provisioning in AWS +### Enable automatic provisioning in AWS 1. Log in to the AWS Management Console as an administrator that has permissions to modify identity sources. 2. Navigate to **IAM Identity Center** > **Settings** > **Identity Source**. @@ -253,11 +108,11 @@ To support the integration of AWS with authentik using OIDC, you need to create Alternatively if automatic provisioning is already enabled, under **Identity source** click **Action** > **Manage provisioning**. 4. Take note of the **SCIM endpoint** and **Access token**. These values will be required in authentik. -## authentik configuration +### authentik configuration To support the integration of AWS with authentik using SCIM, you need to create two property mappings and a SCIM provider in authentik. -### Create property mappings +#### Create property mappings 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Customization** > **Property Mappings**, click **Create**, select **SCIM Mapping**, and click **Next**. @@ -283,7 +138,7 @@ To support the integration of AWS with authentik using SCIM, you need to create 5. Click **Finish**. -### Configure a SCIM provider in authentik +#### Configure a SCIM provider in authentik 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Providers** > **Providers** and click **Create**. @@ -304,12 +159,7 @@ To support the integration of AWS with authentik using SCIM, you need to create The SCIM provider will automatically sync when users, groups, or memberships change. You can manually sync from SCIM provider page. - - - -## Additional Resources +## Resources -- [AWS Docs - Create a SAML identity provider in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) -- [AWS Docs - Create an OpenID Connect (OIDC) identity provider in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html) - [AWS Docs - What is IAM Identity Center?](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) - [AWS Docs - Provisioning an external identity provider into IAM Identity Center using SCIM](https://docs.aws.amazon.com/singlesignon/latest/userguide/provision-automatically.html) From fa916789f99a78cbc0752f793e9f63d533749894 Mon Sep 17 00:00:00 2001 From: dewi-tik Date: Fri, 31 Oct 2025 15:10:43 +0000 Subject: [PATCH 4/7] WIP --- .../cloud-providers/aws-classic/index.mdx | 14 +++++------ .../cloud-providers/aws/index.mdx | 24 ++++++++----------- 2 files changed, 17 insertions(+), 21 deletions(-) diff --git a/website/integrations/cloud-providers/aws-classic/index.mdx b/website/integrations/cloud-providers/aws-classic/index.mdx index 0427b3818649..75e69d5bba35 100644 --- a/website/integrations/cloud-providers/aws-classic/index.mdx +++ b/website/integrations/cloud-providers/aws-classic/index.mdx @@ -19,25 +19,25 @@ The following placeholders are used in this guide: - `authentik.company` is the FQDN of the authentik installation. -:::note +:::info This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. ::: ## Configuration methods -There are several methods to integrate authentik with AWS. Below are the steps to configure each method. +AWS Classic IAM can be integreated with authentik via SAML or OIDC. Below are the steps to configure each method. -:::note -SCIM Provisioning is only possible in conjunction with [IAM Identity Center](../aws/index.mdx), not Classic IAM. +:::info SCIM Provisioning Limitation +SCIM Provisioning is only supported in conjunction with [IAM Identity Center](../aws/index.mdx), not Classic IAM. ::: - + ## authentik configuration diff --git a/website/integrations/cloud-providers/aws/index.mdx b/website/integrations/cloud-providers/aws/index.mdx index b462e7640eb6..bce8f48f5743 100644 --- a/website/integrations/cloud-providers/aws/index.mdx +++ b/website/integrations/cloud-providers/aws/index.mdx @@ -19,28 +19,20 @@ The following placeholders are used in this guide: - `authentik.company` is the FQDN of the authentik installation. -:::note +:::info This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. ::: -## Configuration methods - -There are several methods to integrate authentik with AWS. Below are the steps to configure each method. - -:::note -IAM Identity Center needs a user pre-provisioned manually or via SCIM. -::: - -:::note -SCIM Provisioning is only possible in conjunction with IAM Identity Center, not Classic IAM. -::: - ## SAML Configuration ### Prerequisites - An AWS account with IAM Identity Center enabled +:::info User Provisioning +IAM Identity Center needs a user pre-provisioned manually or via SCIM. Accounts are not created upon login. +::: + ### Download AWS service Provider metadata file 1. Log in to the AWS Management Console as an administrator that has permissions to create IAM roles and identity providers. @@ -94,12 +86,16 @@ The NameID field of type email is matched in AWS against the AWS username attrib 7. Click **Next**. 8. (todo) -## SCIM Configuration +## SCIM Configuration (optional) ### Prerequisites - Completed IAM Identity Center (SAML) setup. +:::info SCIM Provisioning Limitation +SCIM Provisioning is only supported in conjunction with IAM Identity Center, not [Classic IAM](../aws-classic/index.mdx). +::: + ### Enable automatic provisioning in AWS 1. Log in to the AWS Management Console as an administrator that has permissions to modify identity sources. From d2d94de0c50820ac5925c110c2ea2221c7e8fa62 Mon Sep 17 00:00:00 2001 From: dewi-tik Date: Fri, 31 Oct 2025 15:36:14 +0000 Subject: [PATCH 5/7] WIP --- .../integrations/cloud-providers/aws/index.mdx | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/website/integrations/cloud-providers/aws/index.mdx b/website/integrations/cloud-providers/aws/index.mdx index bce8f48f5743..1d1a951a148f 100644 --- a/website/integrations/cloud-providers/aws/index.mdx +++ b/website/integrations/cloud-providers/aws/index.mdx @@ -4,9 +4,6 @@ sidebar_label: Amazon Web Services (IAM Identity Centre) support_level: authentik --- -import TabItem from "@theme/TabItem"; -import Tabs from "@theme/Tabs"; - ## What is AWS > AWS, or Amazon Web Services, is a comprehensive cloud computing platform. It provides a wide array of on-demand IT services like computing power, storage, and databases, allowing businesses to build and run applications, and manage infrastructure through the internet. @@ -50,7 +47,7 @@ To support the integration of AWS with authentik using SAML, you need to create 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.) - - **Application**: provide a descriptive name (e.g. `AWS Identity Center`), an optional group for the type of application, the policy engine mode, and optional UI settings. The **slug** will be used in URLs and should match the `aws-slug` placeholder defined earlier. + - **Application**: provide a descriptive name (e.g. `AWS Identity Center`), an optional group for the type of application, the policy engine mode, and optional UI settings. - Under **UI Settings**, set the **Launch URL** to the **AWS access portal sign-in URL** copied from AWS. - **Choose a Provider type**: select **SAML Provider from metadata** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings: @@ -64,16 +61,15 @@ To support the integration of AWS with authentik using SAML, you need to create 3. Click **Submit** to save the new application and provider. -:::note +:::info NameID The NameID field of type email is matched in AWS against the AWS username attribute, not the email attribute. ::: -#### Download metadata file and signing certificate +#### Download metadata file 1. Log into authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Providers** and click on the name of the newly created AWS provider. 3. Under **Related objects** > **Metadata**, click **Download**. This metadata file will be required in the next section. -4. Under **Related objects** > **Download signing certificate**, click **Download**. This signing certificate will be required in the next section. ### AWS configuration @@ -82,9 +78,8 @@ The NameID field of type email is matched in AWS against the AWS username attrib 3. Click **Actions** > **Change identity source**. 4. Select **External Identity Provider**. 5. Under **Identity provider metadata** > **IdP SAML metadata**, click **Choose file**, and then upload your authentik metadata file. -6. Under **Identity provider metadata** > **IdP certificate**, click **Choose file**, and then upload your authentik signing certificate. -7. Click **Next**. -8. (todo) +6. Click **Next**. +7. Type `ACCEPT` in the **Confirm that you want to change your identity source by entering ACCEPT in the field below.** field and click **Add/Change Identity Provider**. ## SCIM Configuration (optional) From b0e733241927b0d816ed3ecea3bb036de5934c13 Mon Sep 17 00:00:00 2001 From: dewi-tik Date: Fri, 31 Oct 2025 15:38:14 +0000 Subject: [PATCH 6/7] WIP --- website/integrations/cloud-providers/aws/index.mdx | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/website/integrations/cloud-providers/aws/index.mdx b/website/integrations/cloud-providers/aws/index.mdx index 1d1a951a148f..ff14dfb5732e 100644 --- a/website/integrations/cloud-providers/aws/index.mdx +++ b/website/integrations/cloud-providers/aws/index.mdx @@ -38,6 +38,7 @@ IAM Identity Center needs a user pre-provisioned manually or via SCIM. Accounts 4. Select **External Identity Provider**. 5. Click **Download metadata file** to download the **Service provider metadata** file. This file will be required in the next section. 6. Take note of the **AWS access portal sign-in URL**. This value will be required in the next section. +7. Keep this page open, you will need to return to it after configuring authentik. ### authentik configuration @@ -73,13 +74,10 @@ The NameID field of type email is matched in AWS against the AWS username attrib ### AWS configuration -1. Log in to the AWS Management Console as an administrator that has permissions to create IAM roles and identity providers. -2. Navigate to **IAM Identity Center** > **Settings** > **Identity Source**. -3. Click **Actions** > **Change identity source**. -4. Select **External Identity Provider**. -5. Under **Identity provider metadata** > **IdP SAML metadata**, click **Choose file**, and then upload your authentik metadata file. -6. Click **Next**. -7. Type `ACCEPT` in the **Confirm that you want to change your identity source by entering ACCEPT in the field below.** field and click **Add/Change Identity Provider**. +1. Return to the AWS Identity Provider page. +2. Under **Identity provider metadata** > **IdP SAML metadata**, click **Choose file**, and then upload your authentik metadata file. +3. Click **Next**. +4. Type `ACCEPT` in the **Confirm that you want to change your identity source by entering ACCEPT in the field below.** field and click **Add/Change Identity Provider**. ## SCIM Configuration (optional) From 06751d4cbf233e31649027f251035635102dc04d Mon Sep 17 00:00:00 2001 From: dewi-tik Date: Fri, 31 Oct 2025 16:03:55 +0000 Subject: [PATCH 7/7] Spelling --- website/integrations/cloud-providers/aws-classic/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/integrations/cloud-providers/aws-classic/index.mdx b/website/integrations/cloud-providers/aws-classic/index.mdx index 75e69d5bba35..ace1dc3e1ba4 100644 --- a/website/integrations/cloud-providers/aws-classic/index.mdx +++ b/website/integrations/cloud-providers/aws-classic/index.mdx @@ -25,7 +25,7 @@ This documentation lists only the settings that you need to change from their de ## Configuration methods -AWS Classic IAM can be integreated with authentik via SAML or OIDC. Below are the steps to configure each method. +AWS Classic IAM can be integrated with authentik via SAML or OIDC. Below are the steps to configure each method. :::info SCIM Provisioning Limitation SCIM Provisioning is only supported in conjunction with [IAM Identity Center](../aws/index.mdx), not Classic IAM.