Application quotas AWS account quotas Active Directory quotas AWS SSO identity store quotas AWS SSO throttle limits Additional quotas

AWS Single Sign-On quotas

The following tables describe quotas within AWS SSO.

Application quotas

Resource	Default quota	Can be increased
File size of service provider SAML certificates (in PEM format)	2 KB	No
File size limit of the IdP certificate uploaded to SSO	2500 (UTF-8) characters	No

AWS account quotas

Resource	Default quota	Can be increased
Number of permission sets allowed in AWS SSO	500	Yes
Number of permission sets allowed per AWS account	50	Yes
Number of inline policies per permission set	1	No
Maximum size of inline policy per permission set	10,240 bytes	No
Number of IAM roles in the AWS account that can be repaired at a time	1	No

Note

Permission sets are provisioned in AWS accounts as IAM roles and therefore follow IAM quotas. For more information about quotas that are associated with IAM roles, see IAM and STS quotas.

Active Directory quotas

Resource	Default quota	Can be increased
Number of unique directory groups that can be assigned *	2500	Yes
Number of connected directories that you can have at a time	1	No

* Users can belong to many directory groups, and a directory may contain many groups (see AWS SSO identity store quotas). Within AWS SSO, a maximum of 2500 of these groups can be assigned for using accounts and applications.

AWS SSO identity store quotas

Resource	Default quota	Can be increased
Number of unique groups that can be assigned *	2500	Yes
Number of users supported in AWS SSO	50000	Yes
Number of groups supported in AWS SSO	10000	Yes

* Users within an AWS SSO store can have up to 100 of their groups assigned for using applications.

AWS SSO throttle limits

Resource	Default quota
AWS SSO APIs	AWS SSO APIs have a collective throttle limit maximum of 20 transactions per second (TPS). The CreateAccountAssignment has a maximum rate of 10 outstanding async calls. These quotas cannot be changed.

Additional quotas

Resource	Default quota	Can be increased
Total number of AWS accounts or applications that can be configured *	500	Yes
Number of unique groups that can be used to evaluate the permissions for a user **	1000	No

* Only 500 AWS accounts or applications (total combined) are supported. For example, you might configure 275 accounts and 225 applications, resulting in a total of 500 accounts and applications.

** Before displaying the user’s available AWS accounts and application icons in the user portal, AWS SSO evaluates the user’s effective permissions by evaluating their group memberships. Only 1000 unique groups can be used to determine a user’s effective permissions.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Region availability

Troubleshooting