AWS singlesignon documentation change
Summary
Added a note clarifying that attribute mapping configuration applies only when mapping from IAM Identity Center directory for session tags, and that directory values overwrite SAML assertions from external IdPs.
Security assessment
This change adds documentation about Attribute-Based Access Control (ABAC) configuration, which is a security feature for fine-grained access control. It clarifies behavior to prevent misconfigurations but does not address a specific security vulnerability or incident.
Diff
diff --git a/singlesignon/latest/userguide/configure-abac-attributes.md b/singlesignon/latest/userguide/configure-abac-attributes.md index 5e659b2c2..7d4cae83a 100644 --- a//singlesignon/latest/userguide/configure-abac-attributes.md +++ b//singlesignon/latest/userguide/configure-abac-attributes.md @@ -10,0 +11,4 @@ Use the following procedure to set up attributes for your ABAC configuration. +###### Note + +This procedure applies only when you want to map attributes from your IAM Identity Center directory for use as session tags. If you are passing attributes from an external identity provider (IdP) through SAML assertions, you do not need to configure attribute mappings here. For more information, see [Choosing attributes when using an external identity provider as your identity source](./attributesforaccesscontrol.html#abac-getting-started-idp). Values set in the mapping from the Identity Center directory overwrite values set in SAML assertions. +