From c92134fd69ba4b46a6df11b2ef1dcd71a2b3e73e Mon Sep 17 00:00:00 2001 From: Saltuk Alakus Date: Fri, 1 Jan 2021 02:42:31 +0300 Subject: [PATCH] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 3be1fb5..658d9f7 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # aws-oidc-thumbprint -AWS's OIDC Identity Provider integration helps to integrate external identity providers to authenticate for AWS resource. Likely due to the sensitivity of the functionality, they require to pin the login domain certificate of the upstream identity provider. See this link [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html) for more details. +AWS's OIDC Identity Provider integration helps to integrate external identity providers to authenticate for AWS resources. Likely due to the sensitivity of the functionality, they require to pin the login domain certificate of the upstream identity provider. See this link [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html) for more details. This tool helps to avoid service distribution by updating the AWS configuration for the certificate thumbprint if the login domain certificate changes. This is useful especially if you don't have control for the login domain certificate rotation. For E.g. if you are using identity as a service solution (IaaS) like Auth0, Okta, Azure you likely have less control for the domain certificates. @@ -8,7 +8,7 @@ As a simple solution, the solution here spins up a Lambda function that runs eve Event notifications are sent to [AWS CloudWatch](https://aws.amazon.com/cloudwatch/). Optionally, you can also send them to Slack with [Incoming Webhooks](https://api.slack.com/messaging/webhooks) integration. -**By using this tool you are working-around a security feature. Though it may not be very common to pin the login domain certificate, you are accepting the associated risks. Please check your identity vendor first to see if they can provide a better solution.** +**By using this tool you are working-around a security feature. Though it may not be very common to pin the login domain certificate, you are accepting the associated risks. Please check with your identity vendor first to see if they can provide a better solution.** ## Conf