AWS Single Sign-On (AWS SSO) is a cloud SSO service that makes it easy to centrally manage SSO access to multiple AWS accounts and business applications. It enables users to sign in to a user portal with credentials they configure in AWS SSO or using their existing corporate credentials to access all of their assigned accounts and applications from one place. With AWS SSO, you can easily manage SSO access and user permissions to all of your accounts in AWS Organizations centrally. And using the AWS SSO application configuration wizard, you can create Security Assertion Markup Language (SAML) 2.0 integrations and extend SSO access to any of your SAML-enabled applications. AWS SSO also includes built-in SAML integrations to many business applications, such as Salesforce, Box, and Office 365. With just a few clicks, you can enable a highly available SSO service without the upfront investment and on-going maintenance costs of operating your own infrastructure.
With AWS SSO, users can find and access all of their assigned accounts and applications in one place. Users can simply sign in to their personalized user portal with their existing corporate credentials and with one click access any of their assigned accounts and applications. The user portal also helps you roll-out access to new applications more easily by helping users discover new applications in their user portal.
Integrated with AWS Organizations
AWS SSO is integrated with AWS Organizations, enabling you to select one or more accounts from your organization and grant users access to these accounts. No additional configuration is required in the individual accounts. With just a few clicks, you can grant users access to all of the AWS accounts being used for an application or by a team.
Centralized user permissions management
With AWS SSO, you can also centrally manage users’ permissions to AWS resources in your AWS accounts when they access the AWS Management Console through the user portal. You can assign users different sets of permission based on common job functions and customize these permissions to meet your specific requirements. For instance, you can assign developers full administrative permissions in their test accounts, but only grant them job-specific permissions, such as database or network administrator, in production accounts.
Manage SSO access for multiple AWS accounts
Using AWS Single Sign-On (SSO), you can manage SSO access for multiple AWS accounts centrally. When users sign in to their personalized user portals, they will see all of their assigned AWS accounts in one place.
Create and manage users in AWS SSO
AWS SSO provides you a directory by default that you can use to create users and organize them in groups within AWS SSO. You can create users in AWS SSO by configuring their email address and name. When you create a user, by default AWS SSO sends an email to the user so that your users can set their own password. Within minutes, you can grant your users and groups permissions to AWS resources in all your AWS accounts as well as many business applications. Your users sign in to a user portal with credentials they configured in AWS SSO to access all of their assigned accounts and applications in a single place.
Microsoft Active Directory integration
With AWS SSO, you can manage SSO access to accounts and applications using your existing corporate identities from Microsoft Active Directory (AD). AWS SSO integrates with AD through AWS Directory Service and enables you to grant users SSO access to accounts and applications simply by adding the users to the appropriate AD groups. For example, you can create an AD group for a team of developers working on an application and grant the AD group access to the AWS accounts for the application. When new developers join the team and you add them to the AD group, they are granted access to all the AWS accounts for the application automatically.
SAML-enabled application configuration wizard
You can create single sign-on (SSO) integrations to Security Assertion Markup Language (SAML) 2.0-enabled applications using the AWS SSO application configuration wizard. The application configuration wizard helps you select and format the information to send applications to enable SSO access. For example, you can create a SAML attribute for username and specify the format for the attribute based on a user’s email address from their AD profile.
AWS Command Line Interface access
Users can sign in to the AWS SSO user portal with their existing corporate credentials and get AWS Command Line Interface (CLI) credentials for all their assigned AWS accounts from one place. These AWS CLI credentials expire after 60 minutes automatically to help protect access to your AWS accounts.
Built-in SSO integrations to business applications
AWS SSO offers you built-in SSO integrations to many business applications, including Salesforce, Box, and Office 365. You can easily configure SSO access to these applications by following step by step instructions. AWS SSO guides you through entering the required URLs, certificates, and metadata.
Highly available managed infrastructure
AWS SSO is built on highly available, AWS-managed SSO infrastructure. There are no additional proxies, web servers, or federation servers to deploy and maintain as you scale up and add new SSO integrations. Instead, you can easily create new SSO integrations to your business applications using the AWS SSO console.
Audit SSO activity
All administrative and SSO activity is recorded in AWS CloudTrail, giving you the visibility to audit SSO activity centrally. Through CloudTrail, you can view activity such as sign in attempts, application assignments, and directory integration changes. For instance, you can see the applications that a user accessed over a given period of time or when a user was given SSO access to a specific application.