AWS API Changes

2025/02/04 - AWS Identity and Access Management - 3 updated api methods

Changes This release adds support for accepting encrypted SAML assertions. Customers can now configure their identity provider to encrypt the SAML assertions it sends to IAM.

CreateSAMLProvider (updated)

Link ¶
Changes (request)

{'AddPrivateKey': 'string', 'AssertionEncryptionMode': 'Required | Allowed'}

Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0.

The SAML provider resource that you create with this operation can be used as a principal in an IAM role's trust policy. Such a policy can enable federated users who sign in using the SAML IdP to assume the role. You can create an IAM role that supports Web-based single sign-on (SSO) to the Amazon Web Services Management Console or one that supports API access to Amazon Web Services.

When you create the SAML provider resource, you upload a SAML metadata document that you get from your IdP. That document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that the IdP sends. You must generate the metadata document using the identity management software that is used as your organization's IdP.

For more information, see Enabling SAML 2.0 federated users to access the Amazon Web Services Management Console and About SAML 2.0-based federation in the IAM User Guide.

See also: AWS API Documentation

Request Syntax

client.create_saml_provider(
    SAMLMetadataDocument='string',
    Name='string',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ],
    AssertionEncryptionMode='Required'|'Allowed',
    AddPrivateKey='string'
)

type SAMLMetadataDocument:

string

param SAMLMetadataDocument:

[REQUIRED]

An XML document generated by an identity provider (IdP) that supports SAML 2.0. The document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. You must generate the metadata document using the identity management software that is used as your organization's IdP.

For more information, see About SAML 2.0-based federation in the IAM User Guide

type Name:

string

param Name:

[REQUIRED]

The name of the provider to create.

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

type Tags:

list

param Tags:

A list of tags that you want to attach to the new IAM SAML provider. Each tag consists of a key name and an associated value. For more information about tagging, see Tagging IAM resources in the IAM User Guide.

(dict) --

A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
- Key (string) -- [REQUIRED]
  
  The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.
- Value (string) -- [REQUIRED]
  
  The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources, Accounting, and Support. Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.
  
  Note
  
  Amazon Web Services always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

type AssertionEncryptionMode:

string

param AssertionEncryptionMode:

Specifies the encryption setting for the SAML provider.

type AddPrivateKey:

string

param AddPrivateKey:

The private key generated from your external identity provider. The private key must be a .pem file that uses AES-GCM or AES-CBC encryption algorithm to decrypt SAML assertions.

rtype:

dict

returns:

Response Syntax

{
    'SAMLProviderArn': 'string',
    'Tags': [
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
}

Response Structure

(dict) --

Contains the response to a successful CreateSAMLProvider request.
- SAMLProviderArn (string) --
  
  The Amazon Resource Name (ARN) of the new SAML provider resource in IAM.
- Tags (list) --
  
  A list of tags that are attached to the new IAM SAML provider. The returned list of tags is sorted by tag key. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
  - (dict) --
    
    A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
    - Key (string) --
      
      The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.
    - Value (string) --
      
      The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources, Accounting, and Support. Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.
      
      Note
      
      Amazon Web Services always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

GetSAMLProvider (updated)

Link ¶
Changes (response)

{'AssertionEncryptionMode': 'Required | Allowed',
 'PrivateKeyList': [{'KeyId': 'string', 'Timestamp': 'timestamp'}],
 'SAMLProviderUUID': 'string'}

Returns the SAML provider metadocument that was uploaded when the IAM SAML provider resource object was created or updated.

See also: AWS API Documentation

Request Syntax

client.get_saml_provider(
    SAMLProviderArn='string'
)

type SAMLProviderArn:

string

param SAMLProviderArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the SAML provider resource object in IAM to get information about.

For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.

rtype:

dict

returns:

Response Syntax

{
    'SAMLProviderUUID': 'string',
    'SAMLMetadataDocument': 'string',
    'CreateDate': datetime(2015, 1, 1),
    'ValidUntil': datetime(2015, 1, 1),
    'Tags': [
        {
            'Key': 'string',
            'Value': 'string'
        },
    ],
    'AssertionEncryptionMode': 'Required'|'Allowed',
    'PrivateKeyList': [
        {
            'KeyId': 'string',
            'Timestamp': datetime(2015, 1, 1)
        },
    ]
}

Response Structure

(dict) --

Contains the response to a successful GetSAMLProvider request.
- SAMLProviderUUID (string) --
  
  The unique identifier assigned to the SAML provider.
- SAMLMetadataDocument (string) --
  
  The XML metadata document that includes information about an identity provider.
- CreateDate (datetime) --
  
  The date and time when the SAML provider was created.
- ValidUntil (datetime) --
  
  The expiration date and time for the SAML provider.
- Tags (list) --
  
  A list of tags that are attached to the specified IAM SAML provider. The returned list of tags is sorted by tag key. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
  - (dict) --
    
    A structure that represents user-provided metadata that can be associated with an IAM resource. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
    - Key (string) --
      
      The key name that can be used to look up or retrieve the associated value. For example, Department or Cost Center are common choices.
    - Value (string) --
      
      The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources, Accounting, and Support. Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.
      
      Note
      
      Amazon Web Services always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.
- AssertionEncryptionMode (string) --
  
  Specifies the encryption setting for the SAML provider.
- PrivateKeyList (list) --
  
  The private key metadata for the SAML provider.
  - (dict) --
    
    Contains the private keys for the SAML provider.
    
    This data type is used as a response element in the GetSAMLProvider operation.
    - KeyId (string) --
      
      The unique identifier for the SAML private key.
    - Timestamp (datetime) --
      
      The date and time, in ISO 8601 date-time format, when the private key was uploaded.

UpdateSAMLProvider (updated)

Link ¶
Changes (request)

{'AddPrivateKey': 'string',
 'AssertionEncryptionMode': 'Required | Allowed',
 'RemovePrivateKey': 'string'}

Updates the metadata document, SAML encryption settings, and private keys for an existing SAML provider. To rotate private keys, add your new private key and then remove the old key in a separate request.