AWS Single Sign-On
User Guide

AWS SSO Prerequisites

Before you can set up AWS SSO, you must:

  • Have first set up the AWS Organizations service and have All features set to enabled. For more information about this setting, see Enabling All Features in Your Organization in the AWS Organizations User Guide.

  • Sign in with the AWS Organizations master account credentials before you begin setting up AWS SSO. These credentials are required to enable AWS SSO. For more information, see Creating and Managing an AWS Organization in the AWS Organizations User Guide. You cannot set up AWS SSO while signed in with credentials from an Organization’s member account.

  • Have chosen a directory store to determine which pool of users has SSO access to the user portal. If you choose to use the default AWS SSO directory for your user store, no prerequisite tasks are required. The AWS SSO directory is created by default once you enable AWS SSO and is immediately ready for use. There is no cost for using this directory type. If you choose to connect to an existing Active Directory for your user store, you must have:

    • An existing AD Connector or AWS Managed Microsoft AD directory set up in AWS Directory Service, and it must reside within your organization's master account. You can connect only one AWS Managed Microsoft AD directory at a time. However, you can change it to a different AWS Managed Microsoft AD directory or change it back to an AWS SSO directory at any time. For more information, see Create a AWS Managed Microsoft AD Directory in the AWS Directory Service Administration Guide.

    • You must setup AWS SSO in the region where your AWS Managed Microsoft AD directory is set up. AWS SSO stores the assignment data in the same region as the directory. To administer AWS SSO, you should switch to the region where you have setup AWS SSO. Also, note that AWS SSO’s user portal uses the same access URL as your connected directory.