Setting up SSO - Amazon Honeycode

Setting up SSO

AWS account admins can set up single sign-on for Amazon Honeycode in the AWS Management Console. Here is a brief overview of SSO setup:

  • Claim your domain

  • Add a TXT record to your DNS and wait for verification

  • Create a new SSO team

  • Add admin and member groups


            Process overview
Warning

AWS IAM Identity Center (successor to AWS SSO) is required for successful setup and operation of Honeycode SSO Teams. Deletion of AWS IAM Identity Center (successor to AWS SSO) will render the linked SSO Teams unusable. Affected teams cannot be recovered by re-creating AWS IAM Identity Center application assignments, as AWS IAM Identity Center application assignments manage group and user identities for authentication and authorization.

Note

From the time you add the TXT record to your DNS, verification can take up to three business days. Once your domain is verified, you can complete the SSO setup process.

1a. Claim your domain

In the AWS Management Console, go to Honeycode > Domains. In the Claim domain section, enter a domain name.

  • Example: company.com


            Claim domain modal

Click Claim a domain. The domain entered will appear in the Manage domains section with the status Pending.

Note

All domains that are to be associated with a Honeycode SSO team must be claimed from the same AWS account.

1b. Add the TXT record to your DNS

After claiming your domain, you will find a unique key provided in the TXT record column of the Manage domains section.


            Manage domains section

A TXT record provides information about your domain and verifies ownership. Copy the TXT record value and add it to your Domain Name System (DNS) settings.

The following shows the available domain verification statuses:

  • PENDING: Domain is not yet verified. Add the TXT record to your DNS.

  • VERIFIED: Domain ownership is verified. Honeycode continues re-verifying ownership of the domain.

  • FAILED: The verification request expired. Restart the verification process.

  • INVALID: Domain re-verification failed. Re-add the TXT record to your DNS prior to the ending of grace period.

  • REVOKED: Ownership was not re-verified within the 7 days grace-period. Restart the verification process.

Note

It might take some time for propagation of the DNS record after re-adding the TXT record. Ensure you add the TXT record well before the grace period expires.

We've included instructions for adding a TXT record to Amazon Route 53, as well as some general instructions for adding a TXT record to other DNS providers.

How to add a TXT record to an Amazon Route 53 domain

  1. Copy the TXT record value provided in Honeycode > Domains in the AWS console.

  2. Open the Route 53 console at https://console.aws.amazon.com/route53/.

  3. In the navigation pane, choose Hosted zones.

  4. Select the domain that you want to add a TXT record to, and then choose Go to Record sets.

  5. Choose Create record set

  6. In the Create Record Set pane, make the following selections:

    1. For Name, type _amazonhoneycode.

    2. For Type, choose TXT - Text.

    3. For TTL (Seconds), type 1800.

    4. For Value, paste the TXT record value you copied from the communication received.

    5. Choose Create.

Note

After the TXT record has been added to your DNS, domain verification can take up to 3 business days.

How to add a TXT record to other DNS providers

  1. Go to your DNS provider website and sign in to your account. If you aren't sure which DNS provider serves your domain, you can look it up by using a free Whois service.

  2. Find the page for updating your domain's DNS records. This page might have a name similar to one of the following examples: DNS Records, DNS Zone File, or Advanced DNS. If you're unsure, consult the provider's documentation.

  3. Add a TXT record with the name and value provided in Honeycode > Domains in the AWS console.

  4. Save your changes.

Note

After the TXT record has been added to your DNS, domain verification can take up to 3 business days.

How to check that the TXT record is added correctly

Use the nslookup tool to confirm that the TXT record is added correctly to your DNS service. The nslookup tool is available for Windows and Linux.

  1. Open a command prompt to find the name servers for your domain. These servers contain the most up-to-date information for your domain, and can take longer to propagate to other DNS servers.

  2. To list all of the name servers that serve your domain, run the following command:

    nslookup -type=NS example.com
  3. Next, verify that the TXT record is correctly added. Using your domain and one of the name servers that you found in step 2, run the following command:

    nslookup -type=TXT _amazonhoneycode.example.com ns1.name-server.net
  4. In the output of the command, verify that the string that follows text matches the TXT record value in the AWS console under Honeycode > Domains.

Example:

Looking for a TXT record under _amazonhoneycode.example.com with a value of fmxqxT/icOYx4aA/bEUrDPMeax9/s3frblS+niixmqk=.

If the record is correctly added, the command should have the following output:

_amazonhoneycode.example.com text = "fmxqxT/icOYx4aA/bEUrDPMeax9/s3frblS+niixmqk="
Warning

Please do not remove the TXT record from your DNS while the domain is assigned to Amazon Honeycode.

2. Create an SSO team

The next step is to create your first Honeycode SSO team. Please note that teams created with a standard account cannot be converted to SSO teams.

Note

After selected domains are associated with an SSO team, users will lose access to any workbooks or apps created with a standard account using the same domain. If you would like more information, reach out to .

Go to Honeycode > Teams in the AWS console and click Create SSO team. You’ll be prompted to add the following:

  • Team name: This is how users in your company will be identified in Amazon Honeycode

  • Team description (optional): This will only be seen be team admins with access to the AWS console

  • Email contact: The email for the primary AWS account admin

  • Honeycode plan: Select your team’s plan. SSO is available for Amazon Honeycode Plus and Pro plans.

  • Domains: The verified domains you’d like to associate with your SSO team

Amazon Honeycode will automatically create a new service linked role. This role allows Honeycode to interact with your IAM Identity Center. You can learn more about the service linked roles here.

After you’ve filled out the required fields, click Next.

3. Add admin and member groups

After you’ve filled out the required fields, you’ll be prompted next to add admin and member groups as they appear in your identity provider (IdP). Single sign-works with any IdP that supports Security Assertion Markup Language (SAML) 2.0.

Teams have two roles, admins and members. Your team can have multiple admins, or just one. Team admins can manage access to workbooks and apps in Honeycode, and make changes to the team’s plan.

Team members have the ability create workbooks, build apps, and share with SSO team members.

Note

Each admin or member on a team counts as one user in the current team, regardless if the same user is an admin or member of other teams, or if they are present in multiple groups. If the same group is marked as admin and as a member, they are only considered as admin.

Add admin groups

Team admins can manage access to workbooks and apps in Honeycode, and make changes to the team’s plan.

Select one or more group names as stored in your identity provider (IdP). Once you’ve added at least one group name, click Next.


                Add admin groups

Add member groups

Team members can create workbooks, build apps, and share with SSO team members. To add member groups, select the group names as stored in your identity provider. Click Next.


                Add member groups

Users in your admin and member groups will now be able to sign in to Amazon Honeycode using their corporate credentials. It may take up to 4 hours from initial setup, before the full Honeycode service is available for use.

Note

Any subsequent changes made to team groups, domains or changes in group membership (in AWS IAM Identity Center (successor to AWS SSO)) may take up to 4 hours to be reflected in Honeycode.

4. Review SSO team details

Verify that your SSO team details are correct and click Finish.


                Review team details

Deleting an SSO team

To request deletion of an SSO team, please create an AWS support case.

  1. From the top menu of the AWS console, select Support > Support center, and then click Create case.

  2. File the case under: Account and billing support

  3. Under Case details, please make the following selections:

    1. Type: General Info and Getting Started

    2. Category: Using AWS & Services

    3. Subject: Delete Honeycode SSO team

  4. Please include the following details in the support ticket:

    1. Team ID

  5. Click Submit


            Review team details
Note

You will continue to be billed for up to 10 business days after you’ve requested deletion. We will offer you a refund for this time assuming you’ve had no new usage.