Amazon WorkLink
Administration Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Configure your Identity Provider (IdP)

You must link your existing identity provider (IdP) to your fleet. Use your existing SAML 2.0 provider to add users who you want to access your internal websites.

To configure your Identity Provider (IdP)

  1. Open the Amazon WorkLink console at https://console.aws.amazon.com/worklink/.

  2. On the Fleets page, select the fleet, and choose View details.

  3. Choose Identity provider (IdP), Link IdP.

  4. Under Provider type, select SAML.

  5. Under IdP metadata document, choose Choose file to select an XML document generated by your IdP that supports SAML 2.0.

    Use the following instructions to set up a SAML 2.0 app using common identity providers:

  6. Choose Service provider metadata document to download and upload it to your IdP. Some identity providers don't support uploading the service provider SAML metadata file downloaded from the Amazon WorkLink console, SDK, or CLI directly into their system. Instead, you must copy the entityID (or Audience URI) and AssertionConsumerService (or ACS) URL from the service provider SAML metadata file into the identity provider portal manually.

    Note the following:

    • Okta doesn't support uploading the service provider metadata document directly, so you must manually copy the entity ID and the ACS URL.

    • You can upload the service provider metadata document directly in AWS Single Sign-On.

    • You can upload the service provider metadata document directly in Ping Identity.

    • G Suite doesn't support uploading the service provider metadata document directly, so you must manually copy the entity ID and the ACS URL.

  7. Choose Link IdP.