AWS IAM Identity Center

Mandaitor integrates with AWS IAM Identity Center (formerly AWS SSO) for customers who manage workforce identity through AWS. This is particularly relevant since Mandaitor itself runs on AWS.

When to Use AWS IAM Identity Center

Organizations using AWS IAM Identity Center as their workforce identity provider
Companies with AWS-native infrastructure who want consistent identity across services
Multi-account AWS organizations with centralized identity management

Configuration

curl -X PUT https://api.mandaitor.io/v1/tenants/{tenantId}/identity-providers \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "enabled_providers": ["API_KEY", "COGNITO", "AWS_IAM_IDC"],
    "aws_iam_idc": {
      "issuer": "https://identitycenter.amazonaws.com/ssoins-xxxxxxxxxxxxx",
      "audience": "https://api.mandaitor.eu"
    }
  }'

Token Validation

Provider detection: Authorizer detects identitycenter.amazonaws.com or sso.amazonaws.com issuer
JWKS verification: Signature verified against IAM Identity Center's JWKS endpoint
Claims extraction: sub, email, name, custom:identityStoreId
Identity resolution: Mapped to oidc:aws-idc:<sub> canonical subject ID

SDK Usage

// User authenticates via AWS IAM Identity Center
const idcToken = await getIdcAccessToken();

const delegation = await mandaitorClient.exchangeToken({
  subject_token: idcToken,
  mandate_id: "mdt_abc123",
});

When to Use AWS IAM Identity Center​

Configuration​

Token Validation​

SDK Usage​

When to Use AWS IAM Identity Center

Configuration

Token Validation

SDK Usage