SAML Provider
๐ฆ Overviewโ
This Terraform module provisions an AWS IAM SAML provider, enabling federated access through external identity providers using the SAML 2.0 standard.
โ Key Featuresโ
- Registers a trusted SAML identity provider using metadata XML
- Enables Single Sign-On (SSO) with IdPs like Okta, Azure AD, or Google Workspace
- Tags provider resources for environment visibility and tracking
- Supports centralized access management and identity federation
๐ผ Use Casesโ
- Integrate AWS IAM with enterprise SSO providers
- Enable federated login for developers or auditors
- Meet identity governance and compliance requirements
- Provide SAML-based access without using IAM users
๐ฅ Input Variablesโ
| Name | Type | Description |
|---|---|---|
| region | string | AWS region for deployment |
| saml_provider_name | string | Name for the IAM SAML provider |
| metadata_document | string | Content or path to the IdP metadata XML file |
| environment | string | Deployment environment tag (e.g., dev, prod) |
๐ค Outputsโ
| Name | Description |
|---|---|
| saml_provider_arn | ARN of the created SAML provider |
| saml_provider_name | Name of the created SAML provider |
๐ Deployment Readinessโ
- โ Compatible with Terraform 1.0+
- โ Requires AWS Provider 5.x+
- ๐ Requires
iam:CreateSAMLProviderpermission
๐ ๏ธ Example Usageโ
module "saml_provider_deployment" {
source = "git::ssh://git@github.com/archiphire/aws-level-1-modules.git//identity/saml-provider?ref=v1.0.0"
region = "us-east-1"
saml_provider_name = "MyCompanySAML"
metadata_document = file("saml-metadata.xml")
environment = "prod"
}
terraform init
terraform plan
terraform apply
or
tofu init
tofu plan
tofu apply
๐งน Cleanupโ
Terraform Destroy:
terraform destroy
or
tofu destroy
Manual Deletion:
aws iam delete-saml-provider \
--saml-provider-arn arn:aws:iam::<account-id>:saml-provider/MyCompanySAML
โ ๏ธ Be careful when deleting active SAML providers used in role trust policies.
๐ก๏ธ Notesโ
This is a Level 1 identity federation module.
To fully enable federated access, pair this with one or more IAM roles that trust the SAML provider and assign permissions accordingly.
๐ Deployment Package Noticeโ
This module is part of the Level 1 AWS License Tier.
To access the full deployment package and source code, subscribe to Archiphire.