AWS singlesignon documentation change
Summary
Changed attribute precedence from SAML to SCIM attributes in access control decisions
Security assessment
This clarifies that SCIM attributes now take precedence over SAML attributes in access control policies. While this impacts access control logic, there is no explicit mention of a security vulnerability being fixed. The change improves documentation accuracy for secure policy configuration.
Diff
diff --git a/singlesignon/latest/userguide/attributesforaccesscontrol.md b/singlesignon/latest/userguide/attributesforaccesscontrol.md index d8446fcff..99d52c36a 100644 --- a//singlesignon/latest/userguide/attributesforaccesscontrol.md +++ b//singlesignon/latest/userguide/attributesforaccesscontrol.md @@ -33 +33 @@ When you configure IAM Identity Center with an external identity provider (IdP) -Attributes in SAML assertions will not be visible to you on the **Attributes for access control** page. You will have to know these attributes in advance and add them to access control rules when you author policies. If you decide to trust your external IdPs for attributes, then these attributes will always be passed when users federate into AWS accounts. In scenarios where the same attributes are coming to IAM Identity Center through SAML and SCIM, the SAML attributes value take precedence in access control decisions. +Attributes in SAML assertions will not be visible to you on the **Attributes for access control** page. You will have to know these attributes in advance and add them to access control rules when you author policies. If you decide to trust your external IdPs for attributes, then these attributes will always be passed when users federate into AWS accounts. In scenarios where the same attributes are coming to IAM Identity Center through SAML and SCIM, the SCIM attributes value take precedence in access control decisions.