Details

AWS Single Sign-On (AWS SSO) is a cloud SSO service that makes it easy to centrally manage SSO access to multiple AWS accounts and business applications. It enables users to sign in to a user portal with credentials they configure in AWS SSO or using their existing corporate credentials to access all of their assigned accounts and applications from one place. With AWS SSO, you can easily manage SSO access and user permissions to all of your accounts in AWS Organizations centrally. And using the AWS SSO application configuration wizard, you can create Security Assertion Markup Language (SAML) 2.0 integrations and extend SSO access to any of your SAML-enabled applications. AWS SSO also includes built-in SAML integrations to many business applications, such as Salesforce, Box, and Office 365. With just a few clicks, you can enable a highly available SSO service without the upfront investment and on-going maintenance costs of operating your own infrastructure.

Key Features

User Portal

With AWS SSO, users can find and access all of their assigned accounts and applications in one place. Users can simply sign in to their personalized user portal with their existing corporate credentials and with one click access any of their assigned accounts and applications. The user portal also helps you roll-out access to new applications more easily by helping users discover new applications in their user portal.

aws_sso_user_portal

Integrated with AWS Organizations

AWS SSO is integrated with AWS Organizations, enabling you to select one or more accounts from your organization and grant users access to these accounts. No additional configuration is required in the individual accounts. With just a few clicks, you can grant users access to all of the AWS accounts being used for an application or by a team.

aws_sso_select_aws_accounts

Centralized user permissions management

With AWS SSO, you can also centrally manage users’ permissions to AWS resources in your AWS accounts when they access the AWS Management Console through the user portal. You can assign users different sets of permission based on common job functions and customize these permissions to meet your specific requirements. For instance, you can assign developers full administrative permissions in their test accounts, but only grant them job-specific permissions, such as database or network administrator, in production accounts.

aws_sso_permission_sets

Manage SSO access for multiple AWS accounts

Using AWS Single Sign-On (SSO), you can manage SSO access for multiple AWS accounts centrally. When users sign in to their personalized user portals, they will see all of their assigned AWS accounts in one place.

aws_sso_aws_account

Create and manage users in AWS SSO

AWS SSO provides you a directory by default that you can use to create users and organize them in groups within AWS SSO. You can create users in AWS SSO by configuring their email address and name. When you create a user, by default AWS SSO sends an email to the user so that your users can set their own password. Within minutes, you can grant your users and groups permissions to AWS resources in all your AWS accounts as well as many business applications. Your users sign in to a user portal with credentials they configured in AWS SSO to access all of their assigned accounts and applications in a single place.

aws_sso_directory

Microsoft Active Directory integration

With AWS SSO, you can manage SSO access to accounts and applications using your existing corporate identities from Microsoft Active Directory (AD). AWS SSO integrates with AD through AWS Directory Service and enables you to grant users SSO access to accounts and applications simply by adding the users to the appropriate AD groups. For example, you can create an AD group for a team of developers working on an application and grant the AD group access to the AWS accounts for the application. When new developers join the team and you add them to the AD group, they are granted access to all the AWS accounts for the application automatically.

aws_sso_ad

SAML-enabled application configuration wizard

You can create single sign-on (SSO) integrations to Security Assertion Markup Language (SAML) 2.0-enabled applications using the AWS SSO application configuration wizard. The application configuration wizard helps you select and format the information to send applications to enable SSO access. For example, you can create a SAML attribute for username and specify the format for the attribute based on a user’s email address from their AD profile.

aws_sso_custom_saml_app

AWS Command Line Interface access

Users can sign in to the AWS SSO user portal with their existing corporate credentials and get AWS Command Line Interface (CLI) credentials for all their assigned AWS accounts from one place. These AWS CLI credentials expire after 60 minutes automatically to help protect access to your AWS accounts.

AWS_SSO_CLI_Access

Built-in SSO integrations to business applications

AWS SSO offers you built-in SSO integrations to many business applications, including Salesforce, Box, and Office 365. You can easily configure SSO access to these applications by following step by step instructions. AWS SSO guides you through entering the required URLs, certificates, and metadata.

aws_sso_3p_apps

Highly available managed infrastructure

AWS SSO is built on highly available, AWS-managed SSO infrastructure. There are no additional proxies, web servers, or federation servers to deploy and maintain as you scale up and add new SSO integrations. Instead, you can easily create new SSO integrations to your business applications using the AWS SSO console.

Audit SSO activity

All administrative and SSO activity is recorded in AWS CloudTrail, giving you the visibility to audit SSO activity centrally. Through CloudTrail, you can view activity such as sign in attempts, application assignments, and directory integration changes. For instance, you can see the applications that a user accessed over a given period of time or when a user was given SSO access to a specific application.

Get started with AWS Single Sign-On

Visit the getting started page
Ready to get started?
Sign up
Have more questions?
Contact us