AWS singlesignon documentation change
Summary
Updated documentation to include CLI command references and clarify email verification process for passwordless users. Added details about verification email workflow and updated UI instruction references.
Security assessment
The changes clarify security-related authentication workflows (OTP via email and password setup process) but do not indicate a specific security vulnerability being addressed. The updates enhance documentation of existing security features.
Diff
diff --git a/singlesignon/latest/userguide/userswithoutpwd.md b/singlesignon/latest/userguide/userswithoutpwd.md index 3242ac878..a32e92339 100644 --- a//singlesignon/latest/userguide/userswithoutpwd.md +++ b//singlesignon/latest/userguide/userswithoutpwd.md @@ -5 +5 @@ -# Email one-time password to users created with API +# Email one-time password to users created with API or CLI @@ -7 +7 @@ -When you create users with the [CreateUser](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateUser.html) API operation, they don't have passwords. +When you create users with the [CreateUser](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateUser.html) API operation or the `create-user` CLI command, the users don't have passwords. You can update the settings in IAM Identity Center to send these users a verification email after their first attempt to sign in, if you’ve specified an email for the user when they were created. After receiving the verification email, the user must set a password to sign in. @@ -9 +9 @@ When you create users with the [CreateUser](https://docs.aws.amazon.com/singlesi -You can choose to send users created with the CreateUser API an email with a one-time password (OTP) after their first attempt to sign in, if you’ve specified an email for the user when they were created. After receiving the email OTP, when a user signs in, they must set a new password. If you don’t enable this setting, then you must [generate a one-time password and share](./reset-password-for-user.html) with users that you create using the CreateUser API. +If you don’t enable this setting, you must [generate a one-time password](./reset-password-for-user.html) and share it with users that you create using the CreateUser API or `create-user` CLI command. @@ -11 +11 @@ You can choose to send users created with the CreateUser API an email with a one -###### To send an email OTP to users created with the CreateUser API +###### To send an email address verification email to users created with the CreateUser API or `create-user` CLI command @@ -21 +21 @@ You can choose to send users created with the CreateUser API an email with a one - 5. A dialog box appears. Check the box next to **Send email OTP**. Then, choose **Save**. The status updates from **Disabled** to **Enabled**. + 5. In the **Configure standard authentication** dialog box, select the **Send email OTP** check box. Then, choose **Save**. The status updates from **Disabled** to **Enabled**.