Skip to main content

Prerequisites

Before deploying NTC Identity Center with Terraform / OpenTofu, several manual configuration steps must be completed in the AWS Console. These prerequisites ensure that AWS IAM Identity Center is properly configured with your chosen identity source and ready for automated permission set and account assignment management.

Overview

The NTC Identity Center module automates the deployment of permission sets and account assignments, but the initial Identity Center setup requires manual configuration due to AWS API limitations. This includes:

  1. Enabling AWS IAM Identity Center in your organization's management account
  2. Selecting and configuring your identity source (internal, external, or Active Directory)
  3. Setting up identity provider integrations if using external authentication
  4. Configuring user and group synchronization (optional but recommended)
Important

These steps must be completed before running the NTC Identity Center module.

Step 1: Enable AWS IAM Identity Center

AWS IAM Identity Center must be enabled manually in the AWS Console:

  1. Navigate to AWS IAM Identity Center in your organization's management account
  2. Select your preferred region - this will be your Identity Center's home region
  3. Enable Identity Center - this creates the Identity Center instance for your organization
Region Selection

Choose your home region carefully as it cannot be changed later without recreating Identity Center.

Step 2: Choose Your Identity Source

AWS IAM Identity Center supports three identity source options. Choose the one that best fits your organization's needs:

Option A: Identity Center Store (Internal)

The default option that stores users and groups directly in AWS IAM Identity Center.

When to use:

  • Small organizations without existing identity infrastructure
  • Testing and proof-of-concept deployments
  • Organizations wanting AWS-native identity management

Configuration:

  • No additional setup required
  • Users and groups managed directly in Identity Center
  • Can be configured via the NTC module using manual_provisioning_sso_users and manual_provisioning_sso_groups

Integrate with external SAML 2.0 identity providers like Microsoft Entra ID (Azure AD), Okta, or others.

When to use:

  • Organizations with existing identity providers
  • Need for centralized identity management
  • Advanced security requirements
  • User lifecycle management automation

Benefits:

  • Centralized user and group management
  • Existing user credentials and MFA policies
  • Simplified user onboarding and offboarding
  • Consistent identity across all applications

Option C: Active Directory

Connect to on-premises Microsoft Active Directory via AWS Directory Service.

When to use:

  • Organizations with on-premises Active Directory
  • Hybrid cloud environments
  • Need to maintain existing AD infrastructure

Requirements:

  • AWS Directory Service (AWS Managed Microsoft AD or AD Connector)
  • Network connectivity between AWS and on-premises AD
  • Proper DNS and security group configuration

Step 3a: Configure External Identity Provider (If Applicable)

If you chose an external identity provider, configure the SAML integration:

Microsoft Entra ID (Azure AD) Integration

  1. In Microsoft Entra ID:

    • Create a new Enterprise Application for AWS IAM Identity Center
    • Configure SAML SSO with the AWS-provided metadata
    • Set up user and group assignments

  2. In AWS IAM Identity Center:

    • Choose "External identity provider" as your identity source
    • Upload the Entra ID SAML metadata
    • Complete the identity source change

Other SAML Providers

Similar configuration steps apply for other SAML 2.0 providers:

  • Configure a new SAML application in your identity provider
  • Exchange SAML metadata between AWS and your provider
  • Set up proper attribute mappings
  • Test the SAML authentication flow
Attribute Mappings

Ensure proper attribute mappings for essential fields:

  • Subject: Usually email address or username
  • Email: User's email address
  • FirstName: User's first name
  • LastName: User's last name
  • Groups: Group memberships (if using group-based assignments)

Step 3b: Configure Active Directory Integration (If Applicable)

For Active Directory integration:

Prerequisites

  • AWS Directory Service configured (AWS Managed Microsoft AD or AD Connector)
  • Network connectivity between your VPC and on-premises AD
  • Proper security groups and NACLs configured
  • DNS resolution working between AWS and on-premises

Configuration Steps

  1. In AWS IAM Identity Center:

    • Choose "Active Directory" as your identity source
    • Select your AWS Directory Service directory
    • Complete the identity source configuration

  2. Verify connectivity:

    • Test user authentication from AWS
    • Verify group membership synchronization
    • Confirm proper attribute mapping

For external identity providers, configure SCIM (System for Cross-domain Identity Management) for automatic user and group synchronization:

Benefits of SCIM Synchronization

  • Automatic user provisioning: New users automatically appear in Identity Center
  • Lifecycle management: Disabled users are automatically deprovisioned
  • Group synchronization: Group memberships stay in sync

Configuration Steps

  1. In AWS IAM Identity Center:

    • Navigate to Settings → Identity source
    • Enable "Automatic provisioning"
    • Copy the SCIM endpoint URL and access token

  2. In your identity provider:

    • Configure SCIM provisioning to the AWS endpoint
    • Set up user and group synchronization
    • Test the synchronization process
SCIM Support

SCIM automatic provisioning is supported by major identity providers including:

  • Microsoft Entra ID (Azure AD)
  • Okta
  • PingIdentity
  • OneLogin
  • Google Workspace

Next Steps

Once all prerequisites are completed:

  1. Configure the NTC Identity Center module with your specific requirements
  2. Set is_automatic_provisioning_enabled based on your identity source choice:
    • true for external providers with SCIM
    • false for manual provisioning or Active Directory
  3. Define your permission sets according to your access requirements
  4. Configure account assignments using static assignments or dynamic mapping via NTC Account Factory account map
Integration with NTC Account Factory

For optimal results, integrate NTC Identity Center with NTC Account Factory to enable:

  • Dynamic account assignments based on account metadata
  • Consistent access patterns across account lifecycle
  • Automated permission inheritance for new accounts

Troubleshooting Common Issues

Identity Source Changes

  • Existing permission sets remain intact during identity source changes
  • Users may need to sign out and sign back in after changes
  • SAML certificate must be renewed and replaced after a certain period

SCIM Synchronization Issues

  • Verify SCIM endpoint URL and access token are correct
  • Check identity provider logs for synchronization errors
  • Ensure user and group filters are properly configured

Active Directory Connectivity

  • Verify AWS Directory Service health status
  • Check security group rules for LDAP/LDAPS traffic
  • Confirm DNS resolution from AWS to on-premises AD

For additional support, refer to the AWS IAM Identity Center User Guide or contact your AWS support team.