AWS Security Blog

Easier Role Selection for SAML-Based Single Sign-On

At the end of 2013, we introduced single sign-on to the AWS Management Console using the Security Assertion Markup Language (SAML) 2.0. This enables you to use your organization’s existing identity system to sign in to the console without having to provide AWS credentials.

Today we’re happy to announce that, in response to your feedback, we’ve made a number of improvements to the sign-in page. Here’s what it looks like now:

Screenshot of improved sign-in page

As you can see, there are three improvements. First, we’ve organized the roles by account, which makes it much easier to zero in on a role in a specific account. Second, we’re now displaying account aliases if you have configured them. This means that your users don’t have to know the account ID if they’re used to seeing the account alias. And finally, we’re displaying roles using only their names and not full Amazon Resource Names (ARNs), making it easier to focus on the actual role. (If you have only one role configured, users go directly to the console without seeing this page.)

The best part is that this is all automatic—you don’t have to reconfigure your SAML provider in IAM or make any changes to roles. The new UI is now available, and the next time your users sign in to the console using SAML, they’ll see this new and improved page.

We’re grateful to those of you who’ve taken time to send us your feedback. As always, if you have questions about IAM, including SAML, please visit the IAM Forum.

– Shon