Optionally for single sign-on, the can leverage the AWS user/role mappings that are managed by a SAML authentication provider. In this authentication scenario:
When this feature is enabled, a user's available IAM roles are automatically synched via SAML. When a user signs in to the , the user can select their default role to use.
NOTE: When this feature is enabled and the platform is restarted, users of the cannot authenticate to AWS resources until IAM roles have been assigned to their accounts. Where possible, you should enable this feature on an unused instance of the platform.
To enable, the following configuration change must be applied.
Locate the following parameter, and set it to
After the feature has been assigned, roles must be assigned to users.
The list of available roles is passed from the SAML identity provider to the . From this list of roles, each user can select the one to apply to the account.
Individual users must select the IAM role ARN to assume from the list exposed by .
NOTE: Before a user is permitted to complete login to the application, the user must select a role from the provided list.
For more information, see Configure Your Access to S3.
You can use the platform APIs to create platform AWS roles and assign them to users. For more information, see API Workflow - Manage AWS Configurations.