Amazon WorkLink
Administration Guide

Configure your Identity Provider (IdP)

You must link your existing identity provider (IdP) to your fleet. Use your existing SAML 2.0 provider to add users who you want to access your internal websites.

To configure your Identity Provider (IdP)

  1. Open the Amazon WorkLink console at https://console.aws.amazon.com/worklink/.

  2. On the Fleets page, select the fleet, and choose View details.

  3. Choose Identity provider (IdP), Link IdP.

  4. Under Provider type, select SAML.

  5. Under IdP metadata document, choose Choose file to select an XML document generated by your IdP that supports SAML 2.0.

    Use the following instructions to set up a SAML 2.0 app using common identity providers:

  6. Choose Service provider metadata document to download and upload it to your IdP. Some identity providers don't support uploading the service provider SAML metadata file downloaded from the Amazon WorkLink console, SDK, or CLI directly into their system. Instead, you must copy the entityID (or Audience URI) and AssertionConsumerService (or ACS) URL from the service provider SAML metadata file into the identity provider portal manually.

    Note the following:

    • Okta doesn't support uploading the service provider metadata document directly, so you must manually copy the entity ID and the ACS URL.

    • You can upload the service provider metadata document directly in AWS Single Sign-On.

    • You can upload the service provider metadata document directly in Ping Identity.

    • G Suite doesn't support uploading the service provider metadata document directly, so you must manually copy the entity ID and the ACS URL.

  7. Choose Link IdP.