4
4
Table of Contents

Modern organizations increasingly need to authenticate users across multiple domains, directories, and identity providers. When separate organizations collaborate—each with its own Google Workspace (or another IdP)—a single, consistent login experience becomes both a security requirement and a user expectation.

In this scenario, a solution was required that allowed two separate organizations to authenticate with their respective Google identity providers (IdPs) while still accessing shared AWS applications through AWS IAM Identity Center. A federating identity provider was selected because it consolidates multiple external IdPs under a single authentication layer, providing a unified access experience.

This article explains why this architecture was chosen and provides step-by-step integration guidance for the complete setup.

Why Use a Federating IdP in Front of AWS IAM Identity Center?

AWS IAM Identity Center supports only a single external SAML identity provider (IdP). This can become a limitation when multiple independent organizations need to authenticate using their own identity providers.

Introducing a federating identity provider in front of IAM Identity Center addresses this challenge by:

  • Supporting multiple external IdPs (for example, separate Google IdPs for different organizations).
  • Providing a unified login experience across organizations.
  • Enabling fine-grained user and group mapping before sending SAML assertions to AWS.
  • Presenting a single SAML IdP to IAM Identity Center simplifies the AWS-side configuration.

This approach centralizes authentication logic while preserving each organization’s existing identity system.

Target Architecture

 Business Unit 1 Entra IdP  ─┐
                 ├──> Keycloak (IdP Broker) ──> IAM Identity Center (SAML) ──> AWS APPS
 Business Unit 2 Entra IdP   ─┘

Prerequisites

Before starting the integration, ensure the following components are in place:

  • An active AWS IAM Identity Center.
  • A running federating identity provider (such as Keycloak) with administrative access.
  • Two separate external identity providers (for example, Google IdPs, Entra), each configured for its respective organization.
  • Domain and DNS access for the federating IdP, ensuring it is publicly reachable if using a hosted IAM Identity Center deployment.

Integration Steps

1. Configure IAM Identity Center to Trust the Federating IdP as a SAML Provider

  1. In AWS IAM Identity Center, navigate to Settings → Identity Source.
  2. Select External Identity Provider.
  3. Download the IAM Identity Center SAML metadata file.
  4. Note the ACS URL and Entity ID, as these values will be required when configuring the federating IdP.

2. Create a SAML Client/Application in the Federating IdP (for AWS)

In the federating identity provider (for example, Keycloak):

1. Create or Select a Realm

Create a new realm or select an existing realm dedicated to AWS access.

2. Create a New SAML Client

  1. Go to Clients under the selected Realm.
  2. Click Import Client.
  3. Click Browse and upload the AWS IAM Identity Center SAML metadata that you downloaded earlier.
  4. Click Save.

3. Configure Client Settings

Update the following fields in the client configuration:

  • Valid Redirect URIs: AWS IAM Identity Center ACS URL

Set the following values:

  • Base URL:
    your_keycloak_login_url/realms/your_realm_name/protocol/saml/clients/amazon-aws
  • IDP Initiated SSO URL Name: amazon-aws

After making these changes, click Save to apply the configuration.

Learn more about setting up SSO with AWS VPN client here

4. Export Keycloak SAML Metadata

Your IdP metadata file can be obtained from the Keycloak Administration Console.

  1. In the Keycloak Administration Console, select Realm Settings from the main navigation sidebar.
  2. Go to the General tab.
  3. Under the Endpoints section, click the link for SAML 2.0 Identity Provider Metadata.

3. Upload Federating IdP Metadata to AWS IAM Identity Center

  1. In AWS IAM Identity Center, upload the Keycloak SAML metadata exported from the federating IdP.
  2. Once uploaded, AWS establishes the SAML trust relationship between IAM Identity Center and the federating IdP.

4. Add Multiple External Identity Providers in the Federating IdP

Within the federating identity provider:

  1. Navigate to Identity Providers.
  2. Add each external IdP (for example, separate Google IdPs for different organizations). However, there is an important limitation: Keycloak does not allow creating multiple Google IdPs with different redirect URIs directly from the admin console, because the console does not expose options to modify the redirect URI configuration for the identity provider.
  3. To work around this limitation, the configuration can be performed using the Keycloak CLI tools or Admin API, which allow full control over the identity provider settings, including redirect URIs and other parameters. This approach makes it possible to create and manage multiple Google IdP configurations within the same realm.
  4. Configure the required details for each IdP, such as:
  • Client ID and Client Secret
  • Authorized Redirect URIs

5. Map User Attributes for IAM Identity Center

The federating IdP should send user attributes that the IAM Identity Center can interpret. Common attributes include:

  • email
  • givenName
  • groups (optional but useful for application or permission assignments)
  • These attributes can typically be configured under Application → Attribute Mappers.

6. Test the End-to-End Authentication Flow

  1. Access the AWS IAM Identity Center user portal.
  2. Confirm that authentication redirects to the federating IdP login page.
  3. Select the appropriate external identity provider.
  4. Authenticate with the selected IdP.
  5. Verify that the user successfully signs in and can view the expected AWS applications or accounts.

What This Gives Us

  • A single AWS integration point (Keycloak).
  • Flexible federation of multiple organizations.
  • Consistent access to AWS applications through AWS IAM Identity Center.
  • Centralized control over authentication behavior and identity mapping.

 Conclusion

For organizations that must integrate multiple identity providers into AWS,
Keycloak offers an elegant and scalable solution. By using Keycloak as a
federation layer, we could allow multiple organizations to authenticate using their own IdPs—while keeping a single, clean SAML integration into AWS IAM Identity Center.

You may also like

Thumbnail

99% of companies saved up to 15% monthly with this plan & achieved peak performance.

Download Whitepaper
12
Let's discuss your cloud challenges and see how CloudKeeper can solve them all!
Connect with us
Meet the Author
Leave a Comment

Speak with our advisors to learn how you can take control of your Cloud Cost

Contact Us
  • 1
  • 2
  • 3
  • 5
  • 6
  • 8
  • 9
  • 10