Posted On: Jul 10, 2024

Today, Amazon Identity and Access Management (IAM) is announcing improvements that simplify how customers manage OpenID Connect (OIDC) identity providers (IdPs) in their Amazon Web Services accounts. These improvements include increased availability when handling federated user logins through existing IdPs and a streamlined process for provisioning new OIDC IdPs.

IAM now secures communication with OIDC IdPs by trusting the root certificate authority (CA) anchoring the IdP’s SSL/TLS server certificate. This aligns with current industry standards and removes the need for customers to update certificate thumbprints when rotating SSL/TLS certificates. For customers using less common root CAs or a self-signed SSL/TLS server certificate, IAM will continue to rely on the certificate thumbprint set in your IdP configuration. This change automatically applies to new and existing OIDC IdPs, and no action is required from customers.

Additionally, when customers configure a new OIDC IdP using either the IAM console or API/CLI, customers no longer need to supply the IdP’s SSL/TLS server certificate thumbprint as IAM will automatically retrieve it. This thumbprint is maintained with the IdP configuration, but is not used if the IdP relies on a trusted root CA.

These improvements are now available in the Amazon Web Services China (Beijing) Region, operated by Sinnet and the Amazon Web Services China (Ningxia) Region, operated by NWCD. For more information, please see About Web Identity Federation in the IAM product documentation.