AWS Single Sign-On
Centrally manage access to multiple AWS accounts or applications.
AWS Single Sign-On (AWS SSO) is where you create, or connect, your workforce identities in AWS once and manage access centrally across your AWS organization. You can choose to manage access just to your AWS accounts or cloud applications. You can create user identities directly in AWS SSO, or you can bring them from your Microsoft Active Directory or a standards-based identity provider, such as Okta Universal Directory or Azure AD. With AWS SSO, you get a unified administration experience to define, customize, and assign fine-grained access. Your workforce users get a user portal to access all of their assigned AWS accounts or cloud applications. AWS SSO can be flexibly configured to run alongside or replace AWS account access management via AWS IAM.
It’s easy to get started with AWS SSO. With just a few clicks in the management console, you can connect AWS SSO to your existing identity source and configure permissions that grant users access to their assigned AWS accounts, cloud applications, and other SAML-based applications that you add to AWS SSO.
Central place to create or connect your identities
You have the option to create your users' identities and groups in AWS SSO. Or, you can connect to your existing users and groups from Microsoft Active Directory Domain Services, Okta Universal Directory, Azure AD, or another standards-based identity provider. In either case, you manage and authenticate users where you want and AWS SSO authorizes access to the AWS accounts, cloud applications, and other SAML-based applications that you add to AWS SSO.
Manage access to multiple AWS accounts from one place
With AWS Organizations integration, AWS SSO enables you to manage access across multiple accounts with no additional setup within individual accounts. You can assign user permissions based on common job functions, customize them to meet your specific security requirements, and assign fine-grained permissions within the specific accounts where they need access. AWS SSO also allows you to utilize user attributes, such as cost center, title, or locale, for attribute-based access control (ABAC).
Manage access to your cloud applications
With AWS Single Sign-On, you can easily control who has access to your cloud applications. Your users can utilize their directory credentials to sign in to their AWS SSO web user portal and get one-click access to their assigned applications like Amazon SageMaker Studio, AWS Systems Manager Change Manager, and standards-based cloud applications including Salesforce, Box, and Microsoft 365.
How it works
Enable single sign-on access to your AWS accounts
Your users can utilize their directory credentials for single sign-on access to multiple AWS accounts. Their personalized web user portal shows their assigned roles in AWS accounts in one place. Users can also single sign-on via the AWS Command Line Interface (CLI), AWS SDKs, or Mobile Console app using their directory credentials for a consistent authentication experience.
Enable access to integrated applications
AWS SSO is integrated with applications like Amazon SageMaker Studio, AWS Systems Manager Change Manager, and AWS IoT SiteWise for zero-configuration authentication and authorization. These integrated applications share a consistent view of users and groups for resource sharing and collaboration all within the application.
Enable single sign-on access to your cloud applications
You can easily configure single sign-on access to applications that support the Security Assertion Markup Language (SAML 2.0) using the AWS SSO application configuration wizard.
AWS SSO also provides preconfigured settings for many cloud applications including Salesforce, Box, and Microsoft 365.
Invenia is a cloud-based machine learning platform that uses big, high frequency data to solve complex energy intelligence problems in real-time. As a cloud-based business ourselves, we rely extensively on AWS and a number of SaaS-based applications, but didn't like the security and compliance risks associated with managing end-user credentials to so many independent systems. Deploying AWS SSO allowed us to provide access to those same applications, but using our existing corporate credentials instead, and without any of the hassle of managing a traditional SSO solution - Brilliant!
- Sascha McDonald, Head of Architecture and Operations, Invenia
Syncron is a provider of cloud-based after-sales service solutions focused on empowering the world’s leading manufacturers to maximize product uptime and deliver exceptional customer experiences. As a cloud-based business, we're very mindful of the productivity disruptions and security challenges that can arise when users are overloaded with unique credentials. With AWS SSO, we can quickly and easily connect users into AWS using their normal enterprise credentials – allowing us to focus on continuing to deliver exceptional services to our customers instead of managing the lifecycle of users’ credentials in our AWS multi-account structure.
- Richard Barkestam, CTO, Syncron
Featured Security Competency Partners
The AWS Competency Program is designed to identify, validate, and promote AWS Partner Network (APN) Advanced and Premier Tier Partners with demonstrated AWS technical expertise and proven customer success. To learn more, see the AWS Competency Program.
Okta is the identity company that stands for trust.
OneLogin is a leading cloud identity management company, enabling enterprises to secure connections across all users and all devices.
Ping Identity provides secure, seamless access to apps and resources from anywhere and is trusted by over half of the Fortune 100.
Built-in support for AWS accounts and business applications
AWS SSO helps manage access to your AWS accounts and business applications. For a full list of business applications pre-integrated with AWS SSO, see AWS SSO Cloud Applications.