Connect AWS SSO to a self-managed Active Directory - AWS Single Sign-On

Connect AWS SSO to a self-managed Active Directory

Users in your self-managed Active Directory (AD) can also have SSO access to AWS accounts and cloud applications in the AWS SSO user portal. To do that, AWS Directory Service has the following two options available:

  • Create a two-way trust relationship – You must use a two-way forest trust or a two-way domain trust when connecting your self-managed AD to AWS SSO using AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD). The trust from AWS Managed Microsoft AD to your self-managed AD enables your users to sign in to AWS SSO with their AD credentials. The trust from your self-managed AD to AWS Managed Microsoft AD enables AWS SSO to read user and group information from your domain and synchronize user and group metadata. AWS SSO uses this metadata when assigning access to permission sets or applications. Applications use this user and group metadata for collaboration, like when you share a dashboard with another user or group. A one-way trust does not work because it prevents sign-in, or it prevents the ability to synchronize and assign access for AD users and groups, depending upon the direction of the one-way trust.

    For more information about setting up a two-way trust, see When to Create a Trust Relationship in the AWS Directory Service Administration Guide.

  • Create an AD Connector – AD Connector is a directory gateway that can redirect directory requests to your self-managed AD without caching any information in the cloud. For more information, see Connect to a Directory in the AWS Directory Service Administration Guide.

    Note

    If you are connecting AWS SSO to an AD Connector directory, any future user password resets must be done from within AD. This means that users will not be able to reset their passwords from the user portal.

    If you use AD Connector to connect your Active Directory Domain Service to AWS SSO, AWS SSO only has access to the users and groups of the single domain to which AD Connector attaches. If you need to support multiple domains or forests, use AWS Directory Service for Microsoft Active Directory.

    Note

    AWS SSO does not work with SAMBA4-based Simple AD directories.