<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D5WR00001IV9lz0ADOkta Classic EngineSingle Sign-OnAnswered2026-02-19T09:33:05.000Z2026-02-16T03:20:47.000Z2026-02-19T09:33:05.000Z

DongsooS.52437 (Customer) asked a question.

February 16, 2026 at 3:20 AM
How to add custom SAML attribute to pre-configured AWS IAM Identity Center app

Hi there,

 

I am using the pre-configured AWS IAM Identity Center application from the Okta App Catalog, and the SAML/SCIM integration is working successfully.

 

Current Setup:

- Application: AWS IAM Identity Center (pre-configured from Okta App Catalog)

- SAML authentication: Working

- SCIM provisioning: Working

- Users and groups are syncing correctly

 

Issue:

I need to add a custom SAML attribute called "DataClassification" to pass to AWS for Attribute-Based Access Control (ABAC). However, I cannot find the "Attribute Statements" section in the SAML configuration.

 

What I've Tried:

1. General tab → SAML Settings → Edit: No "Attribute Statements" section found

2. Sign On tab: Cannot find where to add custom SAML attributes

3. Looked for "Add Another" button but it's not visible

 

What I Need:

I need to add the following SAML attribute:

- Name: https://aws.amazon.com/SAML/Attributes/AccessControl:DataClassification

- Value: user.dataClassification (or a static value)

 

Questions:

1. Does the pre-configured AWS IAM Identity Center app support custom SAML attributes?

2. If yes, where can I find the option to add custom Attribute Statements?

3. If the pre-configured app doesn't support this, do I need to create a custom SAML 2.0 app instead?

4. Is there a way to add custom attributes without recreating the entire integration?

 

Could you please provide step-by-step guidance on how to add custom SAML attributes to the pre-configured AWS IAM Identity Center application?

 

Thank you.

  • 5 answers
  • 137 views
DongsooS.52437 likes this.

  • Paul S. (Okta, Inc.)

    Hello @DongsooS.52437 (Customer)​ Thank you for posting on our Community page!

     

    The option is available for the Catalogue app and it is on the Sign-On Tab. However to see this option you need to hit the Edit button on the corner on the right hand, once you have done this in the SAML 2.0 tab under Default Relay State. you will see the "Attributes" option which where you can add additional attributes to the SAML assertion.

     

    Thank you for reaching out to our Community and have a great day!

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Expand Post
    Selected as Best

  • Paul S. (Okta, Inc.)

    Hello @DongsooS.52437 (Customer)​ Thank you for posting on our Community page!

     

    The option is available for the Catalogue app and it is on the Sign-On Tab. However to see this option you need to hit the Edit button on the corner on the right hand, once you have done this in the SAML 2.0 tab under Default Relay State. you will see the "Attributes" option which where you can add additional attributes to the SAML assertion.

     

    Thank you for reaching out to our Community and have a great day!

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Expand Post
    Selected as Best

  • DongsooS.52437 (Customer)

    Hi @Paul S. (Okta, Inc.)​ 

     

    Thank you for your reply. I'm currently working on finding the menu. However, there is a problem at the moment.

     

    I am configuring custom SAML attributes in the AWS IAM Identity Center application, but I'm experiencing an issue where duplicate attributes are appearing in the SAML assertion and AWS CloudTrail logs.

     

    Configuration:

    - Application: AWS IAM Identity Center (pre-configured from Okta App Catalog)

    - Location: General tab → SAML Settings → Attribute Statements

     

    What I configured (only ONE attribute):

    - Name: https://aws.amazon.com/SAML/Attributes/AccessControl:DataClassification

    - Name format: Unspecified

    - Value: "public"

     

    Expected result in AWS CloudTrail:

    {

     "principalTags": {

      "DataClassification": "public"

     }

    }

     

    Actual result in AWS CloudTrail:

    {

     "principalTags": {

      "https://aws.amazon.com/SAML/Attributes/AccessControl:DataClassification": "user.dataClassification",

      "DataClassification": "public"

     }

    }

     

    Issue:

    Two attributes are appearing even though I only configured one. The first attribute shows "user.dataClassification" as a literal string instead of evaluating the expression.

     

    Questions:

    1. Why are two attributes appearing when I only configured one?

    2. Is there a cached or hidden attribute configuration that I need to clear?

    3. How can I ensure only the correctly formatted attribute appears in the SAML assertion?

    4. Is there a way to view all configured SAML attributes including any hidden or default ones?

     

    I have tried:

    - Deleting and re-adding the attribute

    - Clearing browser cache

    - Using different value formats ("public", user.dataClassification, appuser.dataClassification)

     

    Could you please help me resolve this duplicate attribute issue?

     

    Thank you.

    Expand Post

    • Paul S. (Okta, Inc.)

      Hello @DongsooS.52437 (Customer)​ There shouldn't be more then 1 attribute if everything is setup correctly. However from the Community side we can just provide general guidance, for troubleshooting or reporting a bug we recommend to Open a case with Support. They have access to additional logs/tools to help you get to the bottom of this.

       

      Thank you for reaching out to our Community and have a great day!

      --

      Help others in the community by liking or hitting Select as Best if this response helped you.

      Expand Post

      • DongsooS.52437 (Customer)

        Thank you @Paul S. (Okta, Inc.)  Unforunately, I don't access to Okta support center. My Application and User's profile are configured as shown in the screenshot.image 

        image.png

        Expand Post

      • Paul S. (Okta, Inc.)

        Hello @DongsooS.52437 (Customer)​  I have run a test on my side with an application from the OIN and a custom attributes and it sent the value as it should.

        However for the Name I would recommend to use the name of the attribute that AWS wants to receive which should be just "DataClassification" and not "https://aws.amazon.com/SAML/Attributes/AccessControl:DataClassification" and for the value, make sure that you just have "user.dataClassification".

        Try it out and let me know the outcome.

         

        Thank you for reaching out to our Community and have a great day!

        --

        Help others in the community by liking or hitting Select as Best if this response helped you.

        Expand Post

Loading
How to add custom SAML attribute to pre-configured AWS IAM Identity Center app