AWS Single Sign-On
User Guide

AWS SSO Prerequisites

Before you can set up AWS SSO, you must meet the following requirements:

  • You must have first set up the AWS Organizations service and have All features set to enabled.

  • You must sign-in with the AWS Organizations master account credentials before you begin setting up AWS SSO. These credentials are required to enable AWS SSO. For more information, see Creating and Managing an AWS Organization in the AWS Organizations User Guide. You cannot set up AWS SSO while signed in with credentials from an Organization’s member account.

  • You must have an existing Microsoft Active Directory (AD) set up in AWS Directory Service and it must reside within your organization's master account. This AWS Microsoft AD directory determines which pool of users has SSO access to the user portal. You can connect only one AWS Microsoft AD directory at a time. However, you can change it to a different AWS Microsoft AD directory at any time. For more information, see Create a Microsoft AD Directory in the AWS Directory Service Administration Guide.

  • Your connected directory must be in the US East (N. Virginia) (us-east-1) Region where AWS SSO is also available. AWS SSO stores the assignment data in the same region as the directory. To administer AWS SSO, you must be in the us-east-1 region. Also, note that AWS SSO’s user portal uses the same access URL as your connected directory.