AWS quick documentation change
Summary
Removed Step 2 (Create Trusted Token Issuer in IAM Identity Center) and streamlined setup process from 4 steps to 3 steps. Updated authentication flow to remove IAM Identity Center-specific requirements and references.
Security assessment
The changes simplify the enterprise sign-in process by eliminating IAM Identity Center-specific steps, but there's no evidence of a security vulnerability being addressed. The modifications focus on procedural simplification rather than patching security flaws or weaknesses. The authentication still uses OIDC protocol with email matching.
Diff
diff --git a/quick/latest/userguide/desktop-enterprise-setup.md b/quick/latest/userguide/desktop-enterprise-setup.md index cc57b8e2b..de277a482 100644 --- a//quick/latest/userguide/desktop-enterprise-setup.md +++ b//quick/latest/userguide/desktop-enterprise-setup.md @@ -7 +7 @@ -How enterprise sign-in worksPrerequisitesStep 1: Create an OIDC application in your identity providerStep 2: Create a Trusted Token Issuer in IAM Identity CenterStep 3: Configure the extension access in the Amazon Quick management consoleStep 4: Download and distribute the desktop applicationTroubleshooting +How enterprise sign-in worksPrerequisitesStep 1: Create an OIDC application in your identity providerStep 2: Configure the extension access in the Amazon Quick management consoleStep 3: Download and distribute the desktop applicationTroubleshooting @@ -27 +27 @@ The setup involves the following steps, in order: - 2. Create a Trusted Token Issuer (TTI) in IAM Identity Center (only required for accounts that use IAM Identity Center for authentication). + 2. Configure the extension access in the Amazon Quick management console. @@ -29,3 +29 @@ The setup involves the following steps, in order: - 3. Configure the extension access in the Amazon Quick management console. - - 4. Distribute the desktop application to your users. + 3. Distribute the desktop application to your users. @@ -42 +40 @@ The Amazon Quick desktop application uses the OIDC protocol to authenticate user -Amazon Quick validates the token and maps the user to an identity in your account. For accounts that use IAM Identity Center, the TTI maps the `email` claim in the OIDC token to the `emails.value` attribute in the identity store. For accounts that use IAM federation, Amazon Quick maps the user by email directly. In both cases, the email address in your IdP must exactly match the email address of the user in Amazon Quick. +Amazon Quick validates the token and maps the user to an identity in your account. The email address in your IdP must exactly match the email address of the user in Amazon Quick. @@ -48 +46 @@ Before you begin, verify that you have the following: - * An AWS account with an active Amazon Quick subscription that uses IAM Identity Center or IAM federation for authentication. The Amazon Quick account's home region (identity region) must be US East (N. Virginia) (us-east-1). + * An AWS account with an active Amazon Quick subscription. The Amazon Quick account's home region (identity region) must be US East (N. Virginia) (us-east-1). @@ -307,73 +305 @@ JWKS URI | `https://auth.pingone.com/<ENV_ID>/as/jwks` -## Step 2: Create a Trusted Token Issuer in IAM Identity Center - -###### Note - -This step is only required if your Amazon Quick account uses AWS Identity and Access Management Identity Center for authentication. If your account uses IAM federation, skip this step and proceed to Step 3. - -The TTI tells IAM Identity Center to trust tokens from your IdP and how to map them to IAM Identity Center users. You can create the TTI in the AWS Identity and Access Management Identity Center console or with the AWS CLI. - -For more information, see [Setting up a trusted token issuer](https://docs.aws.amazon.com/singlesignon/latest/userguide/setuptrustedtokenissuer.html) in the _AWS Identity and Access Management Identity Center User Guide_. - -###### To create the TTI in the IAM Identity Center console - - 1. Open the [AWS Identity and Access Management Identity Center console](https://console.aws.amazon.com/singlesignon). - - 2. Choose **Settings**. - - 3. On the **Settings** page, choose the **Authentication** tab. - - 4. Under **Trusted token issuers** , choose **Create trusted token issuer**. - - 5. On the **Set up an external IdP to issue trusted tokens** page, under **Trusted token issuer details** , configure the following: - -Field | Value ----|--- -Issuer URL | The OIDC issuer URL from Step 1 (see table below) -Trusted token issuer name | `AmazonQuickDesktop` - - 6. Under **Map attributes** , configure the attribute mapping that IAM Identity Center uses to look up users: - -Field | Value ----|--- -Identity provider attribute | The claim in the IdP token that identifies the user (for example, `email`) -IAM Identity Center attribute | The corresponding attribute in the IAM Identity Center identity store (for example, `emails.value`) - -###### Important - -The identity provider attribute must match a claim that your IdP includes in the token, and the IAM Identity Center attribute must uniquely identify the user in your identity store. The most common mapping is `email` → `emails.value`, but your organization may use a different attribute such as `sub` or a custom claim. The value in the token claim must exactly match the value of the corresponding attribute in IAM Identity Center. - - 7. Choose **Create trusted token issuer**. - - 8. Note the **Trusted token issuer ARN**. You need it in the next step. - - - - -Alternatively, to create the TTI with the AWS CLI, run the following command. Replace `<IDC_INSTANCE_ARN>` with your IAM Identity Center instance Amazon Resource Name (ARN) and `<ISSUER_URL>` with the issuer URL from Step 1. - - - aws sso-admin create-trusted-token-issuer \ - --instance-arn <IDC_INSTANCE_ARN> \ - --name "AmazonQuickDesktop" \ - --trusted-token-issuer-type OIDC_JWT \ - --trusted-token-issuer-configuration '{ - "OidcJwtConfiguration": { - "IssuerUrl": "<ISSUER_URL>", - "ClaimAttributePath": "email", - "IdentityStoreAttributePath": "emails.value", - "JwksRetrievalOption": "OPEN_ID_DISCOVERY" - } - }' - -Note the `TrustedTokenIssuerArn` from the output. You need it in the next step. - -The following table lists the issuer URL for each identity provider. - -Identity provider | Issuer URL ----|--- -Microsoft Entra ID | `https://login.microsoftonline.com/<TENANT_ID>/v2.0` -Okta | `https://<OKTA_DOMAIN>/oauth2/default` -PingFederate | `https://<PINGFEDERATE_HOST>` -PingOne | `https://auth.pingone.com/<ENV_ID>/as` - -## Step 3: Configure the extension access in the Amazon Quick management console +## Step 2: Configure the extension access in the Amazon Quick management console @@ -389,10 +315 @@ PingOne | `https://auth.pingone.com/<ENV_ID>/as` - 4. (Optional) If your account uses IAM Identity Center, the **Trusted Token Issuer Setup** step appears. Enter the following: - -Field | Value ----|--- -Trusted Token Issuer ARN | The `TrustedTokenIssuerArn` from Step 2 -Aud claim | The Client ID from Step 1 - -This step does not appear for accounts that use IAM federation. - - 5. Select the **Desktop application for Quick** extension and choose **Next**. + 4. Select the **Desktop application for Quick** extension and choose **Next**. @@ -400 +317 @@ This step does not appear for accounts that use IAM federation. - 6. Enter the Amazon Quick extension details: + 5. Enter the Amazon Quick extension details: @@ -412 +329 @@ Client ID | The OIDC client identifier from Step 1 - 7. Choose **Add**. + 6. Choose **Add**. @@ -434 +351 @@ Verify that all values are correct before choosing **Add**. The extension access -## Step 4: Download and distribute the desktop application +## Step 3: Download and distribute the desktop application @@ -438 +355 @@ After you configure enterprise sign-in, verify the setup by downloading and inst -If the sign-in fails, verify the values you entered in Step 3 against the OIDC endpoints from Step 1. If any value is incorrect, delete the extension access under **Permissions → Extension access** , and repeat Step 3 with the correct values. +If the sign-in fails, verify the values you entered in Step 2 against the OIDC endpoints from Step 1. If any value is incorrect, delete the extension access under **Permissions → Extension access** , and repeat Step 2 with the correct values. @@ -452 +369 @@ User not found after sign-in -The email in the IdP token must exactly match the email of a user in IAM Identity Center. Verify that the user is provisioned and that the email addresses are identical in both systems. +The email in the IdP token must exactly match the email of a user in Amazon Quick. Verify that the user is provisioned and that the email addresses are identical in both systems. @@ -457 +374 @@ Token validation failure -Verify that the issuer URL in the TTI matches the issuer URL in your IdP's OIDC configuration exactly. +Verify that the issuer URL in the extension access configuration matches the issuer URL in your IdP's OIDC configuration exactly.