The AWS integration configures 1Kosmos as a SAML 2.0 identity provider for both AWS IAM Identity Center (multi-account organizations) and direct AWS IAM federation (single-account deployments), mapping users to appropriate IAM roles or permission sets.
Integration type
SSO
Added
Overview
The AWS integration configures 1Kosmos as a SAML 2.0 identity provider for both AWS IAM Identity Center (multi-account organizations) and direct AWS IAM federation (single-account deployments), mapping users to appropriate IAM roles or permission sets.
For organizations using AWS IAM Identity Center, 1Kosmos is configured as the external identity provider. Users navigate to the AWS access portal, are redirected to 1Kosmos for biometric authentication, and are returned to the portal with access to their assigned accounts and roles. For direct IAM SAML federation, 1Kosmos acts as the IdP and AWS IAM roles are configured to trust assertions from 1Kosmos, with role ARNs passed in the SAML assertion.
The 1Kosmos mobile app supports Touch ID, Face ID, and liveness-checked LiveID. Users must enroll their biometrics before the integration is tested.
Prerequisites
Active 1Kosmos tenant: Community administrator access to the AdminX portal. Contact 1kosmos.com/contact if not yet provisioned.
AWS administrator access: IAM administrative rights, including the ability to create identity providers, configure IAM Identity Center, and modify IAM role trust policies.
AWS IAM Identity Center enabled (for multi-account deployments): IAM Identity Center must be enabled in your AWS Organization management account before configuring an external identity provider.
1Kosmos IdP metadata or certificate: The 1Kosmos SAML metadata XML or signing certificate is required by AWS to establish trust. Collect this from AdminX before beginning the AWS-side configuration.
1Kosmos mobile app installed: Users must have the app on iOS or Android with biometrics enrolled before testing.
Configuration values
Values to collect from 1Kosmos AdminX (IdP) for AWS:
Field | Where to find it |
|---|---|
IdP SAML Metadata URL | AdminX → Settings → IdP Configuration → Metadata URL |
IdP Entity ID (Issuer) | AdminX → Settings → IdP Configuration → Core Configuration |
SSO URL (PassiveLogOnUri) | AdminX → Settings → IdP Configuration → Single SignOn Service URL |
Signing Certificate (PEM) | AdminX → Settings → IdP Configuration → View Certificate → Public Key |
Values to collect from AWS after creating the IdP (for AdminX configuration):
Field | Description |
|---|---|
AWS Access Portal URL | IAM Identity Center → Settings → Identity source → AWS access portal URL |
ACS URL | IAM Identity Center → Settings → Identity source → ACS URL for SAML |
AWS IAM Identity Center Issuer URL | IAM Identity Center → Settings → Identity source → Issuer URL |
IAM Identity Provider ARN (for direct IAM) | IAM → Identity Providers → [your provider] → ARN |
Integration steps
Step 1: Collect IdP metadata from AdminX
Log in to the AdminX portal and navigate to Settings → IdP Configuration.
Copy the Metadata URL. AWS can import IdP metadata directly from a URL, which is the simplest approach.
Alternatively, download the metadata XML file or copy the signing certificate PEM if your AWS environment does not support metadata URL import.
Step 2: Configure 1Kosmos as the external identity provider in AWS IAM Identity Center
Log in to the AWS Management Console and navigate to IAM Identity Center.
Select Settings from the left menu and click Change identity source under the Identity source section.
Select External identity provider and click Next.
Under IdP SAML metadata, click Choose file and upload the metadata XML from AdminX, or paste the metadata URL if the field accepts URLs.
AWS will display the IAM Identity Center ACS URL and Issuer URL. Copy these values for use in AdminX.
Click Next and confirm the change. Note that changing the identity source will affect all users currently assigned to AWS accounts.
Step 3: Add AWS as a SAML application in AdminX
In the AdminX portal, navigate to Applications → Add Application.
Scroll to Custom App, select SAML 2.0 Generic, and click Add integration.
Enter "AWS IAM Identity Center" as the Application Name, set Instance to Production, and enter the AWS Access Portal URL as the Application Access URL. Click Next.
Set the NameID Format to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressand NameID Value toemail.Add claims mappings for
email(Username),firstname(first_name), andlastname(last_name). Click Next.Enter the AWS IAM Identity Center Issuer URL as the Entity ID and the ACS URL as the Assertion Consumer Service URL with Method set to POST.
Enable Assertion signing and click Save.
Step 4: Assign users and permission sets in AWS
In IAM Identity Center, navigate to Users and create or sync your user accounts. Email addresses must match between 1Kosmos and AWS.
Navigate to AWS accounts, select the accounts you want to grant access to, and assign the appropriate permission sets to user groups or individual users.
Step 5: Test the integration
Navigate to the AWS Access Portal URL in a browser.
Enter a test user's email. You will be redirected to the 1Kosmos AdminX login screen.
Open the 1Kosmos mobile app, scan the QR code, and complete biometric authentication.
Confirm you are returned to the AWS Access Portal and that the correct accounts and roles are displayed for the user.
Test with a single user before enabling for all organization users. Keep a direct IAM admin account accessible as a fallback during rollout.
Attribute mappings
Source (1Kosmos) | Target (AWS) | Description |
|---|---|---|
user.email | NameID (emailAddress) | Must match the username in IAM Identity Center |
user.firstName | first_name | User first name |
user.lastName | last_name | User last name |
Integration notes
Changing the IAM Identity Center identity source to an external provider affects all users currently using the default AWS identity source. Plan the migration carefully and communicate the change to users before switching.
For organizations using AWS Organizations with multiple accounts, IAM Identity Center is the recommended integration path since it provides centralized access management across all accounts.
For single-account deployments using direct IAM SAML federation, create an IAM identity provider using the 1Kosmos metadata and then update the trust relationship policy on each role to reference the 1Kosmos provider ARN and include the required SAML condition keys.
