AWS Security ChangesHomeSearch

AWS transform documentation change

Service: transform · 2025-12-07 · Documentation low

File: transform/latest/userguide/getting-started.md

Summary

Removed detailed documentation about third-party identity provider integration and replaced with link to external setup page. Simplified navigation structure by eliminating standalone IdP configuration section.

Security assessment

The changes remove implementation details about security-sensitive topics (client secret storage, user identifier handling, encryption) but do not indicate any vulnerability being fixed. This appears to be documentation reorganization rather than addressing a security issue. The security-related content removal could reduce visibility of security practices, but there's no evidence of an active security problem being resolved.

Diff

diff --git a/transform/latest/userguide/getting-started.md b/transform/latest/userguide/getting-started.md
index 8f086e692..520716195 100644
--- a//transform/latest/userguide/getting-started.md
+++ b//transform/latest/userguide/getting-started.md
@@ -5 +5 @@
-Using third-party identity providersEnable AWS TransformQuick start: Trying AWS Transform
+Enable AWS TransformQuick start: Trying AWS Transform
@@ -13,2 +12,0 @@ Using third-party identity providersEnable AWS TransformQuick start: Trying AWS
-  * Using third-party identity providers
-
@@ -26,105 +23,0 @@ Using third-party identity providersEnable AWS TransformQuick start: Trying AWS
-## Using third-party identity providers
-
-AWS Transform supports integration with third-party identity providers (IdPs) such as Azure Active Directory (Entra ID) and Okta Workforce Identity. This allows you to use your existing identity management system for user authentication.
-
-### Prerequisites
-
-Before configuring third-party identity provider integration, ensure that users in your identity provider have name, email, and username attributes configured
-
-### Stored Information
-
-When you use AWS Transform with IdPs, AWS stores minimal user information that is encrypted and secured:
-
-Stored User Information
-    
-
-AWS Transform stores basic user profile information upon first login, including display name, email address, username (preferred_username), and a unique user identifier. This information is encrypted using either a customer-owned KMS key or a service-owned key, depending on the customer's AWS Transform profile configuration. The data is stored in AWS Transform's authentication database and is only collected during the initial login session. This populates the search results when inviting other users to a workspace.
-
-Data Lifecycle
-    
-
-User information is stored only for users who have logged in to the AWS Transform web app at least once, and may become stale if users update their information in their identity provider without logging back into AWS Transform. All stored user information is deleted when the AWS Transform profile is deleted.
-
-Client Secret Storage
-    
-
-The client secret provided during setup is stored using AWS Secrets Manager via a Service Linked Secret (SLS) in your account.
-
-### User Identifier Handling
-
-Entra
-    
-
-Uses the "oid" (object identifier) claim as the unique user identifier, which is immutable and uniquely identifies users across the Microsoft tenant. This value is visible to customers in the Entra console and appears in CloudTrail logs.
-
-Okta Workforce Identity
-    
-
-Uses different claims for user identification depending on token type - the "sub" claim in ID tokens and the "uid" claim in Access tokens. AWS Transform validates that both claims contain the same value during authentication. This value is visible to customers in the Okta console and appears in CloudTrail logs.
-
-### Setting up Azure Active Directory (Entra ID)
-
-To configure Azure Active Directory integration with AWS Transform:
-
-  1. Navigate to the Azure portal and select **Azure Active Directory**.
-
-  2. In the left navigation pane, choose **Manage** > **App registrations**.
-
-  3. Choose **\+ New registration**.
-
-  4. Enter an application name, choose your supported account type, leave the redirect URI blank, and choose **Register**.
-
-  5. In the left navigation, choose **Manage** > **Manifest**.
-
-  6. Update `requestedAccessTokenVersion` from `null` to `2` and choose **Save**.
-
-  7. Choose **Manage** > **Expose an API** and choose **Add a scope**.
-
-  8. Create an Application ID URI using the default structure `api://<client-id>`.
-
-  9. Add the scope `transform:read_write`.
-
-  10. Choose **Add a certificate or secret** and create a new client secret. Save this value as it's needed for profile creation.
-
-  11. Find the Issuer URL by choosing **Endpoints** and selecting the OpenID Connect metadata document. The "issuer" field in the metadata is your Issuer URL.
-
-  12. Create a profile in the AWS Transform console using the Client ID, Client Secret, and Issuer URL.
-
-  13. After profile creation, add a redirect URI by choosing **Add a platform** , selecting **Web** , and entering `<web-application-url>/login/callback`.
-
-
-
-
-### Setting up Okta Workforce Identity
-
-To configure Okta Workforce Identity integration with AWS Transform:
-
-  1. Navigate to your Okta Workforce Identity console.
-
-  2. Choose **Applications** > **Applications** and select **Create App Integration**.
-
-  3. Select **OIDC - OpenID Connect** and **Web Application** , then choose **Next**.
-
-  4. Name your application, leave the Grant Type as _Authorization Code_ , leave redirect URIs blank, configure user assignments, and choose **Save**.
-
-  5. Navigate to the **Sign On** tab and set the Issuer to **Okta URL** instead of Dynamic.
-
-  6. Copy the Client ID and configure it as the Audience for your Authorization Server by going to **Security** > **API** and adding an Authorization Server.
-
-  7. In the Authorization Server, add the scope `transform:read_write` under the **Scopes** tab.
-
-  8. Add an Access Policy that allows the OIDC Application to use this Authorization Server and configure a rule for the policy.
-
-  9. On the Authorization Server Settings page, note the Issuer URL for profile creation in AWS Transform.
-
-  10. Create a profile in AWS Transform using the Issuer URL, Client ID, and Client Secret from the application settings.
-
-  11. After profile creation, add `<web-application-url>/login/callback` as a redirect URL in the application's General tab.
-
-###### Note
-
-If you would like to be redirected back to the AWS Transform webapp after logout, you’ll need to configure your web application URL as a trusted origin under **Security** > **API**.
-
-
-
-
@@ -143 +36 @@ To enable AWS Transform:
-  5. Optional: configure IAM Identity Center. You will also be able to choose to use a third-party identity provider (IdP) in a later step.
+  5. Optional: configure IAM Identity Center. You will also be able to choose to use a [third-party identity provider (IdP)](./transform-setup.html#transform-third-party-identity) in a later step.
@@ -159 +52 @@ You can access the **Users** , **Settings** , and **Connectors** tabs at any tim
-  10. Configure User access by choosing an identity provider, either IAM Identity Center or a third-party identity provider (IdP).
+  10. Configure User access by choosing an identity provider, either IAM Identity Center or a [third-party identity provider (IdP)](./transform-setup.html#transform-third-party-identity).