AWS Single Sign-On (SSO) makes it easy to centrally manage access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place. With AWS SSO, you can easily manage access and user permissions to all of your accounts in AWS Organizations centrally. SSO configures and maintains all the necessary permissions for your accounts automatically, without requiring any additional setup in the individual accounts. You can assign user permissions based on common job functions and customize these permissions to meet your specific security requirements. AWS SSO also includes built-in integrations to many business applications, such as Salesforce, Box, and Microsoft 365.
With AWS SSO, you can create and manage user identities in AWS SSO’s identity store, or easily connect to your existing identity source, including Microsoft Active Directory, Okta Universal Directory, and Azure Active Directory (Azure AD). AWS SSO allows you to select user attributes, such as cost center, title, or locale, from your identity source, and then use them for attribute-based access control in AWS.
It is easy to get started with AWS SSO. With just a few clicks in the AWS SSO management console you can connect AWS SSO to your existing identity source and configure permissions that grant your users access to their assigned AWS Organizations accounts and hundreds of pre-configured cloud applications, all from a single user portal.
Integrated with AWS Organizations
AWS SSO is integrated with AWS Organizations, enabling you to select one or more accounts from your organization and grant users access to these accounts. AWS SSO builds on AWS Identity and Access Management (IAM) roles and policies to help you manage access centrally across all AWS accounts in your AWS organization. No additional configuration is required in the individual accounts. With just a few clicks, you can grant users access to all of the AWS accounts being used for an application or by a team.
Manage SSO access for multiple AWS accounts
Using AWS Single Sign-On (SSO), you can manage SSO access for multiple AWS accounts centrally. When users sign in to their personalized user portals, they will see all of their assigned roles in AWS accounts in one place.
Enable SSO access to your Amazon EC2 Windows instances
By using AWS SSO, you can provide one-click login access to your Amazon EC2 Windows instances from within the AWS Systems Manager Fleet Manager console. This makes it easy for you to access your instance desktops from anywhere without having to enter your credentials multiple times or having to configure remote access client software.
Attribute-based access control
AWS SSO makes it easy for you to create and use fine-grained permissions for your workforce based on user attributes defined in your AWS SSO identity source. AWS SSO allows you to select multiple attributes, such as cost center, title, or locale, and then use them for attribute-based access control (ABAC) to simplify and centralize your access administration. You can define permissions once for your entire AWS organization, and then grant, revoke, or modify AWS access by simply changing the attributes in the identity source.
Create and manage users in AWS SSO
AWS SSO provides you a directory by default that you can use to create users and organize them in groups within AWS SSO. You can create users in AWS SSO by configuring their email address and name. When you create a user, by default AWS SSO sends an email to the user so that your users can set their own password. Within minutes, you can grant your users and groups permissions to AWS resources in all your AWS accounts as well as many business applications. Your users sign in to a user portal with credentials they configured in AWS SSO to access all of their assigned accounts and applications in a single place.
Connects with Microsoft Active Directory
With AWS SSO, you can manage SSO access to accounts and applications using your existing corporate identities from Microsoft Active Directory Domain Services (AD DS). AWS SSO connects to AD DS through AWS Directory Service and enables you to grant users access to accounts and applications simply by adding the users to the appropriate AD groups. For example, you can create a group for a team of developers working on an application and grant the group access to the AWS accounts for the application. When new developers join the team and you add them to the AD group, they are granted access to all the AWS accounts for the application automatically. AWS SSO also allows you to select multiple user attributes, such as cost center, title, or locale, from your AD, and then use them for ABAC to simplify and centralize your access administration.
Connect and automatically provision users from standards-based identity providers
You can connect AWS SSO to Okta Universal Directory, Azure AD, or another supported identity provider (IdP) via Security Assertion Markup Language (SAML) 2.0 so your users can sign in with their existing credentials. And, AWS SSO also supports System for Cross-domain Identity Management (SCIM) for automation of user provisioning. You can manage your users in your IdP, get them into AWS quickly, and centrally manage their access to all AWS accounts and business applications. AWS SSO also allows you to select multiple user attributes, such as cost center, title, or locale, from your Okta Universal Directory, and then use them for ABAC to simplify and centralize your access administration.
Audit SSO activity across applications and AWS accounts
All administrative and SSO activity is recorded in AWS CloudTrail, giving you the visibility to audit SSO activity centrally. Through CloudTrail, you can view activity such as sign in attempts, application assignments, and directory integration changes. For instance, you can see the applications that a user accessed over a given period of time or when a user was given SSO access to a specific application.
With AWS SSO, you can use standards-based strong authentication capabilities for all your users across all your identity sources. If you use a supported SAML 2.0 IdP as your identity source, you can enable multi-factor authentication (MFA) capabilities of your provider. When using Active Directory or AWS SSO as your identity source, AWS SSO supports the Web Authentication specification to help you secure user access to AWS accounts and business applications using with FIDO-enabled security keys, such as YubiKey, and built-in biometric authenticators, such as Touch ID on Apple MacBooks and facial recognition on PCs. You can also enable one-time-passwords (TOTPs) using authenticator apps such as Google Authenticator or Twilio Authy. AWS SSO allows you to enforce MFA for all your users, including the requirement for the users to set up MFA devices during sign-in.
Highly available managed infrastructure
AWS SSO is built on highly available, AWS-managed infrastructure. There are no additional proxies, web servers, or federation servers to deploy and maintain as you scale up and add new business application integrations. Instead, you can easily create new integrations to your business applications using the AWS SSO console.
End user experience features
With AWS SSO, users can find and access all of their assigned accounts and applications in one place. Users can simply sign in to their personalized user portal with their existing corporate credentials and with one click access any of their assigned accounts and applications. The user portal also helps you roll out access to new applications more easily by helping users discover new applications in their user portal.
Support for browser, command line, and mobile interfaces
When users sign in through the AWS Command Line Interface (CLI), they can use their existing corporate credentials and get consistent authentication experience, while getting the benefits of automated short-term credential management. Once signed in, developers can see their AWS SSO assigned accounts and roles, and they can also create profiles that let them switch between roles and accounts in a single command. AWS Mobile Console app also supports AWS SSO so you get a consistent sign-in experience across browser, mobile, and command line interfaces.
Built-in SSO integrations to business applications
AWS SSO offers you built-in SSO integrations to many business applications, including Salesforce, Box, and Microsoft 365. You can easily configure SSO access to these applications by following step by step instructions. AWS SSO guides you through entering the required URLs, certificates, and metadata. For a full list of business applications pre-integrated with AWS SSO, see AWS SSO Cloud Applications.
SAML-enabled application configuration wizard
You can create single sign-on integrations to Security Assertion Markup Language (SAML) 2.0-enabled applications using the AWS SSO application configuration wizard. The application configuration wizard helps you select and format the information to send applications to enable SSO access. For example, you can create a SAML attribute for username and specify the format for the attribute based on a user’s email address from their AD profile.