Connect AWS SSO to a self-managed Active Directory - AWS Single Sign-On

Connect AWS SSO to a self-managed Active Directory

Users in your self-managed Active Directory (AD) can also have SSO access to AWS accounts and cloud applications in the AWS SSO user portal. To do that, AWS Directory Service has the following two options available:

  • Create a two-way trust relationship – When two-way trust relationships are created between AWS Managed Microsoft AD and a self-managed AD, users in your self-managed AD can sign in with their corporate credentials to various AWS services and business applications. One-way trusts do not work with AWS SSO.

    AWS Single Sign-On requires a two-way trust so that it has permissions to read user and group information from your domain to synchronize user and group metadata. AWS SSO uses this metadata when assigning access to permission sets or applications. User and group metadata is also used by applications for collaboration, like when you share a dashboard with another user or group. The trust from AWS Directory Service for Microsoft Active Directory to your domain permits AWS SSO to trust your domain for authentication. The trust in the opposite direction grants AWS permissions to read user and group metadata.

    For more information about setting up a two-way trust, see When to Create a Trust Relationship in the AWS Directory Service Administration Guide.

  • Create an AD Connector – AD Connector is a directory gateway that can redirect directory requests to your self-managed AD without caching any information in the cloud. For more information, see Connect to a Directory in the AWS Directory Service Administration Guide.

    Note

    If you are connecting AWS SSO to an AD Connector directory, any future user password resets must be done from within AD. This means that users will not be able to reset their passwords from the user portal.

    Note

    AWS SSO does not work with SAMBA4-based Simple AD directories.