support SSO/Identity store federated IdP operations

[tsanton]

Describe the feature

I'm hoping it could be possible to implement SDK support for actions towards https://auth-control.<region>.prod.apps-auth.aws.a2z.com in order to facilitate for automatic configuration of federated authentication.

Use Case

Automate federated SSO setup with IaC

Proposed Solution

No response

Other Information

I see some calls made to https://sso.<region>amazonaws.com/control/ and https://up-sso.<region>.amazonaws.com/identitystore/ in order to get some status information.

I'd be happy to map out all the actions required in order to:

• get sign-on, redirect and identity URIs
• download the service provider metadata
• upload the IdP metadata
• upload the IdP token signing certificate
• query the status of the SSO integration
• Upload SCIM token
• query status of SCIM

Note: I may be able to implement this feature if someone can help me with scaffolding the client configuration setup.

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

AWS Go SDK V2 Module Versions Used

github.com/aws/aws-sdk-go-v2 v1.21.0

Go version used

1.20

[RanVaknin]

Hi @tsanton,

I have to admit Im a bit confused about your request here.

I'm hoping it could be possible to implement SDK support for actions towards https://auth-control..prod.apps-auth.aws.a2z.com

The *aws.a2z.com endpoints are AWS internal only endpoints meant for employees.

Automate federated SSO setup with IaC

The SDK is not considered an IaC product, so Im not sure how this request ties to it.
We reviewed this feature request as a team, and the ask here was not clear to anyone.

If you can explain the use case in details, like what is the current behavior, and what problem you are trying to solve, that would be helpful to evaluate this request.

Thanks again,
Ran~

[tsanton]

Hi @RanVaknin and thanks for getting back to me so soon!

I'm aware that that the SDK is not IaC, but I was hoping to be able to have these client(s) methods be implemented in the SDK in order to make the Terraform integration easier :)

To give you some insight into what I'm trying to do: I want to automate the Microsoft Entra SSO integration with AWS IAM Identity Center setup.

So far I'm half way there: I have all the endpoints operations I need on the Azure side configured in a private Terraform provider. My next step is to find a way to perform the above listed operations against AWS (either (preferably) getting SDK support, or creating a separate client library to perform these actions). When I then have a client who perform these actions, I can then either try to submit code to the official AWS TF provider, or create my own private provider ("awspatch" or something like that).

I was somewhat worried that the *aws.a2z.com were not intended for public usage as I've not seen any reference to that subdomain in any documentation. That didn't completely discourage me as I could not find any documentation for https://sso.<region>amazonaws.com/control/ either in the identity center docs.

I discovered these endpoints by function of inspecting network traffic when click-opsing the SSO setup in the AWS console.

I do not know what your policy is, but I'm assuming you wont provide any SDK support for *aws.a2z.com operations?

[lucix-aws]

@tsanton --

Whether or not we are capable of supporting this depends on whether the steps in this workflow are doable through publicly available operations in the SDK. The AWS SDKs are generated from API models maintained by each service (you can see them in codegen/sdk-codegen/aws-models, they're updated automatically as part of the daily release).

I'm not familiar enough with the sso/cognito/iam space to know whether that's the case here. Given that you said you figured out the API calls happening through inspection of the web console, and that you saw calls made*** to *aws.a2z.com domains, I'd say it's highly likely that the console was making use of some internal APIs that we simply do not have access to in this space.

That said, it could still be possible to do through the SDKs, but again I'm not able to confirm.

[github-actions]

This issue has not received a response in 1 week. If you want to keep this issue open, please just leave a comment below and auto-close will be canceled.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.