AWS Security ChangesHomeSearch

AWS singlesignon documentation change

Service: singlesignon · 2025-08-13 · Documentation low

File: singlesignon/latest/userguide/manage-your-identity-source-considerations.md

Summary

Updated documentation with minor grammatical corrections, link updates to session management guides, and consistency improvements in wording (e.g., 'won't' to 'will not', 'you're' to 'you are'). Added clarity about session revocation behavior when changing identity sources.

Security assessment

The changes primarily involve grammatical improvements and documentation link updates. While the content discusses session management and access revocation, there is no evidence of addressing a newly discovered vulnerability or security incident. The updates clarify existing security practices rather than introducing new security features or mitigations.

Diff

diff --git a/singlesignon/latest/userguide/manage-your-identity-source-considerations.md b/singlesignon/latest/userguide/manage-your-identity-source-considerations.md
index d8548be5d..8701d8fe6 100644
--- a//singlesignon/latest/userguide/manage-your-identity-source-considerations.md
+++ b//singlesignon/latest/userguide/manage-your-identity-source-considerations.md
@@ -11 +11 @@ Although you can change your identity source at any time, we recommend that you
-If you're already managing users and groups in one identity source, changing to a different identity source might remove all user and group assignments that you configured in IAM Identity Center. If this occurs, all users, including the administrative user in IAM Identity Center, will lose single sign-on access to their AWS accounts and applications.
+If you are already managing users and groups in one identity source, changing to a different identity source might remove all user and group assignments that you configured in IAM Identity Center. If this occurs, all users, including the administrative user in IAM Identity Center, will lose single sign-on access to their AWS accounts and applications.
@@ -17 +17 @@ Before you change the identity source for IAM Identity Center, review the follow
-If you're already managing users and groups in Active Directory, we recommend that you consider connecting your directory when you enable IAM Identity Center and choose your identity source. Do this before you create any users and groups in the default Identity Center directory and make any assignments. 
+If you are already managing users and groups in Active Directory, we recommend that you consider connecting your directory when you enable IAM Identity Center and choose your identity source. Do this before you create any users and groups in the default Identity Center directory and make any assignments. 
@@ -19 +19 @@ If you're already managing users and groups in Active Directory, we recommend th
-If you're already managing users and groups in the default Identity Center directory, consider the following:
+If you are already managing users and groups in the default Identity Center directory, consider the following:
@@ -44 +44 @@ If you change your identity source from IAM Identity Center to an external ident
-  * No outbound synchronization – IAM Identity Center doesn't support outbound synchronization, so your external IdP won't automatically update with changes to users and groups that you make in IAM Identity Center. 
+  * No outbound synchronization – IAM Identity Center doesn't support outbound synchronization, so your external IdP will not automatically update with changes to users and groups that you make in IAM Identity Center. 
@@ -50 +50 @@ If you change your identity source from IAM Identity Center to an external ident
-  * Existing user sessions are revoked on session duration expiry – Once you change your identity source to an external identity provider, active user sessions persist for the remainder of the maximum session duration configured in the console. For example, if the AWS access portal session duration is set to eight hours, and you changed the identity source in the fourth hour, active user sessions persist for an additional four hours. To revoke user sessions, see [Delete active user sessions for the AWS access portal and AWS integrated applications](./delete-user-session.html).
+  * Existing user sessions are revoked on session duration expiry – Once you change your identity source to an external identity provider, active user sessions persist for the remainder of the maximum session duration configured in the console. For example, if the AWS access portal session duration is set to eight hours, and you changed the identity source in the fourth hour, active user sessions persist for an additional four hours. To revoke user sessions, see [View and end active sessions for your workforce users](./end-active-sessions.html).
@@ -52 +52 @@ If you change your identity source from IAM Identity Center to an external ident
-    * If users are deleted or disabled in the IAM Identity Center console using Identity Store APIs, users with active sessions can continue to access integrated applications and accounts. For information about authentication session duration and user behavior, see [Authentication in IAM Identity Center](./authconcept.html).
+If users are deleted or disabled in the IAM Identity Center console using Identity Store APIs, users with active sessions can continue to access integrated applications and accounts. For information about authentication session duration and user behavior, see [Authentication in IAM Identity Center](./authconcept.html).
@@ -56 +56 @@ If you change your identity source from IAM Identity Center to an external ident
-You won't be able to revoke user sessions from the IAM Identity Center console after you've deleted the user.
+You cannot revoke user sessions from the IAM Identity Center console after you've deleted the user.
@@ -71 +71 @@ If you change your identity source from an external identity provider (IdP) to I
-  * Existing user sessions are revoked on session duration expiry – Once you change your identity source to IAM Identity Center, active user sessions persist for the remaining duration of the maximum session duration configured in the console. For example, if the AWS access portal session duration is eight hours, and you changed the identity source at fourth hour, active user sessions continue to run for an additional four hours. To revoke user sessions, see [Delete active user sessions for the AWS access portal and AWS integrated applications](./delete-user-session.html). 
+  * Existing user sessions are revoked on session duration expiry – Once you change your identity source to IAM Identity Center, active user sessions persist for the remaining duration of the maximum session duration configured in the console. For example, if the AWS access portal session duration is eight hours, and you changed the identity source at the fourth hour, active user sessions continue to run for an additional four hours. To revoke user sessions, see [View and end active sessions for your workforce users](./end-active-sessions.html). 
@@ -73 +73 @@ If you change your identity source from an external identity provider (IdP) to I
-    * If users are deleted or disabled in the IAM Identity Center console using Identity Store APIs, users with active sessions can continue to access integrated applications and accounts. For information about authentication session duration and user behavior, see [Authentication in IAM Identity Center](./authconcept.html).
+If users are deleted or disabled in the IAM Identity Center console using Identity Store APIs, users with active sessions can continue to access integrated applications and accounts. For information about authentication session duration and user behavior, see [Authentication in IAM Identity Center](./authconcept.html).
@@ -77 +77 @@ If you change your identity source from an external identity provider (IdP) to I
-You won't be able to revoke user sessions from the IAM Identity Center console after you've deleted the user.
+You will not be able to revoke user sessions from the IAM Identity Center console after you've deleted the user.
@@ -86 +86 @@ For information about how IAM Identity Center provisions users and groups, see [
-If you're already using an external IdP as your identity source for IAM Identity Center and you change to a different external IdP, consider the following:
+If you are already using an external IdP as your identity source for IAM Identity Center and you change to a different external IdP, consider the following:
@@ -94 +94 @@ These assertions must match the user names in IAM Identity Center when your user
-  * Existing user sessions are revoked on session duration expiry – Once you change your identity source to different external identity provider, active user sessions persist for the remaining duration of the maximum session duration configured in the console. For example, if the AWS access portal session duration is eight hours, and you changed the identity source at fourth hour, active user sessions persist for an additional four hours. To revoke user sessions, see [Delete active user sessions for the AWS access portal and AWS integrated applications](./delete-user-session.html). 
+  * Existing user sessions are revoked on session duration expiry – Once you change your identity source to different external identity provider, active user sessions persist for the remaining duration of the maximum session duration configured in the console. For example, if the AWS access portal session duration is eight hours, and you changed the identity source at the fourth hour, active user sessions persist for an additional four hours. To revoke user sessions, see [View and end active sessions for your workforce users](./end-active-sessions.html). 
@@ -96 +96 @@ These assertions must match the user names in IAM Identity Center when your user
-    * If users are deleted or disabled in the IAM Identity Center console using Identity Store APIs, users with active sessions can continue to access integrated applications and accounts. For information about authentication session duration and user behavior, see [Authentication in IAM Identity Center](./authconcept.html).
+If users are deleted or disabled in the IAM Identity Center console using Identity Store APIs, users with active sessions can continue to access integrated applications and accounts. For information about authentication session duration and user behavior, see [Authentication in IAM Identity Center](./authconcept.html).
@@ -100 +100 @@ These assertions must match the user names in IAM Identity Center when your user
-You won't be able to revoke user sessions from the IAM Identity Center console after you've deleted the user.
+You cannot revoke user sessions from the IAM Identity Center console after you've deleted the user.