AWS Identity and Access Management simplifies management of OpenID Connect identity providers
Today, AWS Identity and Access Management (IAM) is announcing improvements that simplify how customers manage OpenID Connect (OIDC) identity providers (IdPs) in their AWS accounts. These improvements include increased availability when handling federated user logins through existing IdPs and a streamlined process for provisioning new OIDC IdPs.
IAM now secures communication with OIDC IdPs by trusting the root certificate authority (CA) anchoring the IdP’s SSL/TLS server certificate. This aligns with current industry standards and removes the need for customers to update certificate thumbprints when rotating SSL/TLS certificates. For customers using less common root CAs or a self-signed SSL/TLS server certificate, IAM will continue to rely on the certificate thumbprint set in your IdP configuration. This change automatically applies to new and existing OIDC IdPs, and no action is required from customers.
Additionally, when customers configure a new OIDC IdP using either the IAM console or API/CLI, customers no longer need to supply the IdP’s SSL/TLS server certificate thumbprint as IAM will automatically retrieve it. This thumbprint is maintained with the IdP configuration, but is not used if the IdP relies on a trusted root CA.
These improvements are now available in the commercial AWS Regions, the AWS GovCloud (US) Regions, and the China Regions. For more information, please see About Web Identity Federation in the IAM product documentation.