AWS Single Sign-On (SSO) makes it easy to centrally manage access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place. With AWS SSO, you can easily manage SSO access and user permissions to all of your accounts in AWS Organizations centrally. SSO configures and maintains all the necessary permissions for your accounts automatically, without requiring any additional setup in the individual accounts. You can assign user permissions based on common job functions and customize these permissions to meet your specific security requirements. AWS SSO also includes built-in integrations to many business applications, such as Salesforce, Box, and Office 365.
With AWS SSO, you can create and manage user identities in AWS SSO’s identity store, or easily connect to your existing identity source including Microsoft Active Directory, Okta Universal Directory, or Azure Active Directory (Azure AD).
It is easy to get started with AWS SSO. With just a few clicks in the AWS SSO management console you can connect AWS SSO to your existing identity source and configure permissions that grant your users access to their assigned AWS Organizations accounts and hundreds of pre-configured cloud applications, all from a single user portal.
Integrated with AWS Organizations
AWS SSO is integrated with AWS Organizations, enabling you to select one or more accounts from your organization and grant users access to these accounts. No additional configuration is required in the individual accounts. With just a few clicks, you can grant users access to all of the AWS accounts being used for an application or by a team.
Manage SSO access for multiple AWS accounts
Using AWS Single Sign-On (SSO), you can manage SSO access for multiple AWS accounts centrally. When users sign in to their personalized user portals, they will see all of their assigned roles in AWS accounts in one place.
Centralized user permissions management
With AWS SSO, you can also centrally manage users’ permissions to AWS resources in your AWS accounts when they access the AWS Management Console through the user portal. You can assign users different sets of permissions based on common job functions and customize these permissions to meet your specific requirements. For instance, you can assign developers full administrative permissions in their test accounts, but only grant them job-specific permissions, such as database or network administrator, in production accounts. AWS SSO provides APIs and AWS CloudFormation support to automate permissions management in multi-account environments, and retrieve the permissions programmatically for audit and governance purposes.
Create and manage users in AWS SSO
AWS SSO provides you a directory by default that you can use to create users and organize them in groups within AWS SSO. You can create users in AWS SSO by configuring their email address and name. When you create a user, by default AWS SSO sends an email to the user so that your users can set their own password. Within minutes, you can grant your users and groups permissions to AWS resources in all your AWS accounts as well as many business applications. Your users sign in to a user portal with credentials they configured in AWS SSO to access all of their assigned accounts and applications in a single place.
Connects with Microsoft Active Directory
With AWS SSO, you can manage SSO access to accounts and applications using your existing corporate identities from Microsoft Active Directory Domain Services (AD DS). AWS SSO connects to AD DS through AWS Directory Service and enables you to grant users access to accounts and applications simply by adding the users to the appropriate AD groups. For example, you can create a group for a team of developers working on an application and grant the group access to the AWS accounts for the application. When new developers join the team and you add them to the AD group, they are granted access to all the AWS accounts for the application automatically.
Connect and automatically provision users from standards-based identity providers
You can connect AWS SSO to Okta Universal Directory, Azure AD, or another supported identity provider (IdP) via Security Assertion Markup Language (SAML) 2.0 so your users can sign in with their existing credentials. And, AWS SSO also supports System for Cross-domain Identity Management (SCIM) for automation of user provisioning. You can manage your users in your IdP, get them into AWS quickly, and centrally manage their access to all AWS accounts and business applications.
Audit SSO activity across applications and AWS accounts
All administrative and SSO activity is recorded in AWS CloudTrail, giving you the visibility to audit SSO activity centrally. Through CloudTrail, you can view activity such as sign in attempts, application assignments, and directory integration changes. For instance, you can see the applications that a user accessed over a given period of time or when a user was given SSO access to a specific application.
Highly available managed infrastructure
AWS SSO is built on highly available, AWS-managed infrastructure. There are no additional proxies, web servers, or federation servers to deploy and maintain as you scale up and add new business application integrations. Instead, you can easily create new integrations to your business applications using the AWS SSO console.
End user experience features
With AWS SSO, users can find and access all of their assigned accounts and applications in one place. Users can simply sign in to their personalized user portal with their existing corporate credentials and with one click access any of their assigned accounts and applications. The user portal also helps you roll out access to new applications more easily by helping users discover new applications in their user portal.
Support for browser, command line, and mobile interfaces
When users sign in through the AWS Command Line Interface (CLI), they can use their existing corporate credentials and get consistent authentication experience, while getting the benefits of automated short-term credential management. Once signed in, developers can see their AWS SSO assigned accounts and roles, and they can also create profiles that let them switch between roles and accounts in a single command. AWS Mobile Console app also supports AWS SSO so you get a consistent sign-in experience across browser, mobile, and command line interfaces.
Built-in SSO integrations to business applications
AWS SSO offers you built-in SSO integrations to many business applications, including Salesforce, Box, and Office 365. You can easily configure SSO access to these applications by following step by step instructions. AWS SSO guides you through entering the required URLs, certificates, and metadata. For a full list of business applications pre-integrated with AWS SSO, see AWS SSO Cloud Applications.
SAML-enabled application configuration wizard
You can create single sign-on integrations to Security Assertion Markup Language (SAML) 2.0-enabled applications using the AWS SSO application configuration wizard. The application configuration wizard helps you select and format the information to send applications to enable SSO access. For example, you can create a SAML attribute for username and specify the format for the attribute based on a user’s email address from their AD profile.