How to secure AWS IAM Identity Center
AWS IAM Identity Center is available at no extra cost in all AWS accounts. To use an external identity provider you need to change the identity source, which requires appropriate IAM permissions.
AWS IAM Identity Center (formerly AWS SSO) supports SAML 2.0 external identity providers. By placing XFA between AWS and your identity provider, every login attempt is checked for device security before access is granted.
When a user signs in to AWS, the following happens:
- AWS → XFA → your IdP: AWS redirects the user to XFA, which immediately redirects to your identity provider (e.g. Google Workspace) to authenticate. The Entity ID configured in your IdP is the one for AWS — it identifies what the user is authenticating for.
- Your IdP → XFA: After authentication, the identity provider sends the user back to the ACS URL, which points to XFA instead of directly to AWS.
- XFA verifies the device: XFA checks the security posture of the device against your policy.
- XFA → AWS: If the device passes, XFA forwards the authentication to AWS using the application's real ACS URL and access is granted.
This guide will describe all steps needed to set this up.
Note: This article assumes that you have an account set up with XFA for your organization and you are an admin for that organization. If you do not have an account, you can create one at https://dashboard.xfa.tech/signup.
Configure AWS IAM Identity Center in your identity provider
Use our specific identity provider guides to learn how to setup an application with the provided settings.
Entity ID: https://<region>.signin.aws.amazon.com/platform/saml/<directory-id>
ACS URL / Redirect URL: https://device-api.xfa.tech/saml2/consume
Signed Response: false
The ACS URL / Redirect URL is different than the standard AWS IAM Identity Center configuration. XFA intercepts the SAML assertion to verify device security before forwarding to AWS.
Creating an application in XFA
A guide on how to create an application in XFA can be found here.
Assertion Consumer Service URL: https://<region>.signin.aws.amazon.com/platform/saml/acs/<instance-id>
SSO URL: (provided by identity provider)
Entity ID: (provided by identity provider)
Certificate: (provided by identity provider)
Copy the SSO URL, Entity ID and Certificate from the XFA application settings — you will need these when configuring AWS IAM Identity Center.
Configure AWS IAM Identity Center to use XFA
1. Open the IAM Identity Center console
Navigate to the IAM Identity Center console and make sure you are in the correct AWS region.
2. Go to Settings and select the Identity source tab
3. Select Actions > Change identity source
4. Choose External identity provider and click Next
5. Copy the IAM Identity Center values
On this screen, AWS shows the service provider metadata. Copy these values — you will need the Issuer URL (Entity ID) and the ACS URL for the identity provider and XFA configuration above.
AWS access portal sign-in URL: https://<your-subdomain>.awsapps.com/start
ACS URL: https://<region>.signin.aws.amazon.com/platform/saml/acs/<instance-id>
Issuer URL: https://<region>.signin.aws.amazon.com/platform/saml/<directory-id>
6. Enter the XFA application details
On the same screen, enter the identity provider details from your XFA application:
IdP sign-in URL: (SSO URL from XFA application)
IdP issuer URL: (Entity ID from XFA application)
IdP certificate: (Certificate from XFA application)
From AWS's perspective, XFA is the identity provider. Enter XFA's details here, not your identity provider's details directly.
7. Type ACCEPT to confirm the change and save the identity source
If you are migrating from a different identity source, make sure you have XFA fully configured before confirming — changing identity sources will require you to reassign users and groups.
Test the connection
Use your AWS access portal sign-in URL to test the login flow. You should be redirected to your identity provider to authenticate, then back to XFA where your device security is verified, and finally back to AWS where access is granted.
See the AWS IAM Identity Center demo for a video walkthrough of the full login flow with Google Workspace as the identity provider.