What is AWS Single Sign-On (AWS SSO)?
AWS SSO is an AWS service that enables you to use your existing credentials from your Microsoft Active Directory to access your cloud-based applications, such as AWS accounts and business applications (Office 365, Salesforce, Box), by using single sign-on (SSO).
What are the benefits of AWS SSO?
You can use AWS SSO to quickly and easily assign and manage your employees’ access to multiple AWS accounts, SAML-enabled cloud applications (such as Salesforce, Office 365, and Box), and custom-built in-house applications, all from a central place. Employees can be more productive by signing in with their existing corporate Active Directory credentials or credentials that you configure in AWS SSO to access their applications from their personalized user portal. Now, employees won’t need to remember multiple sets of credentials and access URLs to cloud applications, and new employees can be productive starting on day one. After you’ve added users to the appropriate group in your directory, they will automatically gain access to accounts and applications that are enabled for members of that group. You'll get better visibility into cloud application use because you can monitor and audit sign-in activity centrally from AWS CloudTrail.
What problems does AWS SSO solve?
AWS SSO eliminates the administrative complexity of custom SSO solutions you use to provision and manage identities across AWS accounts and business applications. As you use multiple AWS accounts and add accounts regularly, setting up SSO with Active Directory Federation Services (AD FS) to access these accounts requires learning the custom AD FS claims programming language. You also need to prepare the AWS accounts with necessary permissions to access these accounts. AWS SSO is available at no additional cost, and it reduces the complexity of repetitive setup and disparate management by tightly integrating with AWS. If you use separate passwords to access different AWS accounts or cloud applications, AWS SSO simplifies the user experience and improves security by eliminating individual passwords needed for each AWS account or cloud business application. AWS SSO also solves the problem of limited visibility of the access to your cloud applications by integrating with AWS CloudTrail and providing a central place for you to audit SSO access to AWS accounts and SAML-enabled cloud applications, such as Office 365, Salesforce, and Box.
Why should I use AWS SSO?
You should use AWS SSO to help your employees become productive quickly by granting them access to AWS accounts and business cloud applications, without writing custom scripts or investing in general-purpose SSO solutions. You should also use AWS SSO to reduce the administrative complexity and cost of setting up and managing SSO access.
AWS SSO is the place where your employees can access your AWS accounts and the applications they need in the course of their work from the AWS SSO user portal, regardless of where these applications were built or are hosted.
What can I do with AWS SSO?
You can use AWS SSO to quickly and easily assign your employees access to AWS accounts managed with AWS Organizations, business cloud applications (such as Salesforce, Office 365, and Box), and custom applications that support Security Assertion Markup Language (SAML) 2.0. Employees can sign in with their existing corporate credentials or credentials they configure in AWS SSO to access their business applications from a single user portal. AWS SSO also allows you to audit users’ access to cloud services by using AWS CloudTrail.
Who should use AWS SSO?
AWS SSO is for administrators who manage multiple AWS accounts and business applications, want to centralize user access management to these cloud services, and want to provide employees a single location to access these accounts and applications without them having to remember yet another password.
How do I start using AWS SSO?
As a new AWS SSO customer, you:
- Sign in to the AWS Management Console of the master account in your AWS account and navigate to the AWS SSO console.
- Select the directory you use for storing the identities of your users and groups from the AWS SSO console. AWS SSO provides you a directory by default that you can use to manage users and groups in AWS SSO. You can also change directory to connect to a Microsoft AD directory by clicking through a list of Managed Microsoft AD and AD Connector instances that AWS SSO discovers in your account automatically. If you want to connect to a Microsoft AD directory, see Getting Started with AWS Directory Service.
- Grant users SSO access to AWS accounts in your organization by selecting the AWS accounts from a list populated by AWS SSO, and then selecting users or groups from your directory and the permissions you want to grant them.
- Give users access to business cloud applications by:
- Selecting one of the applications from the list of pre-integrated applications supported in AWS SSO.
- Configuring the application by following the configuration instructions.
- Selecting the users or groups that should be able to access this application.
- Give your users the AWS SSO sign-in web address that was generated when you configured the directory so that they can sign in to AWS SSO and access accounts and business applications.
AWS SSO is offered at no extra charge.
In which AWS regions is AWS SSO is available?
See the AWS Region Table for AWS SSO availability by Region.
Directories and Applications Support
What directories can I use with AWS SSO?
You can use the directory that AWS SSO provides you by default to create and manage users in AWS SSO. Alternatively, you can connect AWS SSO to Microsoft Active Directory, running either on-premises or in the AWS Cloud. AWS SSO supports AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, and AD Connector. AWS SSO does not support Simple AD. See AWS Directory Service Getting Started to learn more.
Can I use my Amazon Cognito User Pools as the connected directory in AWS SSO?
Not at this time. Today, AWS SSO supports creating and managing users in AWS SSO or connecting to a Microsoft Active Directory. Other directory types may be added over time based on customer feedback and demand.
Which cloud-based applications can I connect to using AWS SSO?
You can connect the following applications to AWS SSO:
- AWS Management Console: You can set up SSO access to the AWS Management Console.
- Third-party SaaS applications: AWS SSO comes preintegrated with commonly used business applications. For a comprehensive list, see the AWS SSO console.
- Custom SAML applications: AWS SSO supports applications that allow identity federation using SAML 2.0. For applications that are not preintegrated with AWS SSO, you can set up SSO by using the AWS SSO custom application wizard.
I manage users and groups in Active Directory on premises. How do I connect my directory to AWS SSO?
You have two options for connecting Active Directory–hosted on premises to AWS SSO: (1) Use a AWS Managed Microsoft AD trust relationship, or (2) use AD Connector.
AWS Managed Microsoft AD creates a fully managed Active Directory in the AWS Cloud and can be used to set up a forest trust relationship between your on-premises directory and AWS Managed Microsoft AD. To set up a trust relationship, see When to Create a Trust Relationship.
AD Connector is a directory gateway that can redirect directory requests to your on-premises Microsoft Active Directory without caching any information in the cloud. To connect an on-premises directory using AD Connector, see AD Connector.
I manage users and groups in AWS Identity and Access Management (IAM). Can I connect my directory to AWS SSO?
AWS SSO does not support AWS IAM users and groups at this time.
Can I connect more than one directory to AWS SSO?
No. At any given time, you can have only one directory connected to AWS SSO. But, you can change the directory that is connected to a different one.
SSO Access to AWS Accounts
Which AWS accounts can I connect to AWS SSO?
How do I set up SSO to AWS accounts in an organizational unit (OU) within my organization?
You can pick accounts within the organization or filter accounts by OU.
How do I control what permissions my users get when they use SSO to access their account ?
When granting SSO access to your users, you can limit the users’ permissions by picking a permission set. Permission sets are a collection of permissions that you can create in AWS SSO, modelling them based on AWS managed policies for job functions or any AWS managed policies. AWS managed policies for job functions are designed to closely align to common job functions in the IT industry. If required, you can also fully customize the permission set to meet your security requirements. AWS SSO applies these permissions to the selected accounts automatically. As you change the permission sets, AWS SSO enables you to apply the changes to the relevant accounts easily. When your users access the accounts through the AWS SSO user portal, these permissions restrict what they can do within those accounts. You can also grant multiple permission sets to your users. When they access the account through the user portal, they can pick which permission set they want to assume for that session.
For which AWS accounts can I get AWS Command Line Interface (CLI) credentials?
You can get AWS CLI credentials for any AWS account and user permissions that your AWS SSO administrator has assigned to you. These CLI credentials can be used for programmatic access to the AWS account.
How long are the AWS Command Line Interface credentials from the AWS SSO user portal valid?
AWS CLI Credentials fetched through the AWS SSO user portal are valid for 60 minutes. You can get a fresh set of credentials as often as needed.
SSO Access to Business Applications
How do I set up SSO to business applications, such as Salesforce?
From the AWS SSO console, navigate to the applications pane, choose Configure new application, and choose an application from the list of cloud applications that are preintegrated with AWS SSO. Follow the on-screen instructions to configure the application. Your application is now configured and you may assign access to it. Choose the groups or users that you want to provide with access to the application and Choose Assign Access to complete the process.
My company uses business applications that are not in AWS SSO’s preintegrated application list. Can I still use AWS SSO?
Yes. If your application supports SAML 2.0, you can configure your application as a custom SAML 2.0 application. From the AWS SSO console, navigate to the applications pane, choose Configure new application, and choose Custom SAML 2.0 application. Follow the instructions to configure the application. Your application is now configured and you may assign access to it. Choose the groups or users that you want to provide with access to the application, and choose Assign Access to complete the process.
My application supports OpenID Connect (OIDC) only. Can I set up SSO with AWS SSO?
No. AWS SSO supports only SAML 2.0–based applications.
Does AWS SSO support single sign-on to native mobile and desktop applications?
No. AWS SSO supports single sign-on to business applications through web browsers only.
What data will AWS SSO store on my behalf?
AWS SSO will store data about which AWS accounts and cloud applications are assigned to which users and groups, as well as what permissions have been granted for accessing AWS accounts. AWS SSO will also create and manage IAM roles in individual AWS accounts for each permission set you grant access for your users.
Does AWS SSO support multifactor authentication (MFA)?
Yes. You can enable or require users to set up a multi-factor application on their phones or you can require users to provide an additional factor for signing in to AWS SSO by operating a Remote Authentication Dial-In User Service (RADIUS) server and configuring the RADIUS server to work with Active Directory or AD Connector.
How do my employees get started using AWS SSO?
Employees can get started with AWS SSO by visiting the AWS SSO user portal that is generated when you configure your directory in AWS SSO. If you manage your users in AWS SSO, your employees can use their email address and password they configured with AWS SSO to sign into the user portal. If you connect to a Microsoft Active Directory, your employees can sign in to user portal with their Active Directory user name and password and then view the accounts and applications assigned to them. To access an account or application, employees choose the associated icon from the AWS SSO user portal.
Is there an API available for AWS SSO?
No. You can use the AWS SSO console to perform all necessary operations.