AWS Single Sign-On
User Guide

Manage SSO to Your AWS Accounts

AWS Single Sign-On is integrated with AWS Organizations so that administrators can pick multiple AWS accounts whose users need single sign-on (SSO) access to the AWS Management Console. Once you assign access from the AWS SSO console, you can use permission sets to further refine what users can do in the AWS Management Console. For more information about permission sets, see Permission Sets.

Users follow a simple sign-in process:

  1. Users use their directory credentials to sign in to the user portal.

  2. Users then choose the AWS account name that will give them federated access to the AWS Management Console for that account.

  3. Users who are assigned multiple permission sets choose which IAM role to use.

Permission sets are a way to centrally define permissions centrally in AWS SSO so that they can be applied to all of your AWS accounts; these permission sets are provisioned to each AWS account as an IAM role. The user portal then provides users with the ability to retrieve temporary credentials for that IAM role of a given AWS account so they can use it for short-term access to the AWS CLI. For more information, see How to Get Credentials of an IAM Role for Use with CLI Access to an AWS Account.

To use AWS SSO with AWS Organizations, you must first Enable AWS SSO, which grants AWS SSO the capability to create Service-Linked Roles in each account in your AWS organization. These roles are not created until after you Assign User Access for a given account.

You can also connect an AWS account that is not part of your organization by setting up the account as a custom SAML application in AWS SSO. In this scenario, you provision and manage the IAM roles and trust relationships that are required to enable SSO access. For more information on how to do this, see Add and Configure a Custom SAML 2.0 Application.