Manage Identities in AWS SSO - AWS Single Sign-On

Manage Identities in AWS SSO

AWS Single Sign-On provides you with a default store where you can store your users and groups. If you choose to store them in AWS SSO, all you need to do is the following:

  • Create your users and groups.

  • Add your users as members to the groups.

  • Assign the groups with the desired level of access to your AWS accounts and applications.

If you prefer to manage users in AWS Managed Microsoft AD, you can discontinue use of your AWS SSO store at any time and instead connect AWS SSO to your Microsoft AD using AWS Directory Service. For more information, see Connect to Your Microsoft AD Directory.

If you prefer to manage users in an external identity provider (IdP), you can connect AWS SSO to your IdP and enable automatic provisioning. For more information, see Connect to Your External Identity Provider.

Provisioning When Users are in AWS SSO

When you create users and groups directly in AWS SSO, provisioning is automatic. These identities are immediately available for use in making assignments and for use by AWS SSO-integrated applications. For more information, see User and group provisioning.