Other identity providers - AWS Single Sign-On

Other identity providers

AWS SSO implements the following standards-based protocols for identity federation:

  • SAML 2.0 for user authentication

  • SCIM for provisioning

Any identity provider (IdP) that implements these standard protocols is expected to interoperate successfully with AWS SSO, with the following special considerations:

  • SAML

    • AWS SSO requires a SAML nameID format of email address (that is, urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress)

    • The value of the nameID field in assertions must be an RFC 2822 (https://tools.ietf.org/html/rfc2822) addr-spec compliant (“name@domain.com”) string (https://tools.ietf.org/html/rfc2822#section-3.4.1)

IdPs that do not conform to the standards and considerations mentioned above are not supported. Please contact your IdP for questions or clarifications regarding the conformance of their products to these standards and considerations.

If you have any issues connecting your IdP to AWS SSO, we recommend that you check:

Note

Some IdPs, including the list of Supported identity providers, offer a simplified configuration experience for AWS SSO in the form of an “application” or “connector” built specifically for AWS Single Sign-On. If your IdP provides this option, we recommend that you use it, being careful to choose the item that’s built specifically for AWS Single Sign-On. Other items called “AWS”, “AWS federation”, or similar generic "AWS" names may use other federation approaches and/or endpoints, and may not work as expected with AWS SSO.