The integration between Cornell CUWebAuth (and Cornell Two-Step Login) and AWS requires Active Directory groups with specific characteristics. When the Cloud Team asks a Cornell AWS account owner to request an Active Directory group from their unit IT support for gating access to roles in the AWS console the following wording can be used in the request.

We are working with the CIT Cloud Team ( to configure an AWS account for my team to use. Active Directory groups are used to gate that access. Could you please provision a new Active Directory group for that purpose? The AD group should be “Global” scope and “Security” type. We will be using that group to identity the administrative users of our AWS account so please include "aws" and "admin" or something similar in the AD group name.

Once the group is created, please add the following people/netids to it since I would like to give them access to my AWS account:

  • aaa123
  • bbb456

See also User Access Control for AWS Accounts.

At present, AD groups of type "Universal" cannot be used for the Shibboleth AWS-AD integration.