AWS IAM Identity Center (successor to AWS SSO) Integration Guide for External AWS Account
Introduction
This document helps you configure IAM Identity Center to facilitate single sign-on (SSO) for External AWS Account (AWS account outside your Organization) using SAML.
Topics
Prerequisites
You'll need the following to set up SSO access to External AWS Account:
-
Access to the IAM Identity Center console with permissions to manage applications.
-
An External AWS Account outside your Organization with admin permissions for AWS IAM.
-
External AWS Account does not support SP initiated SSO.
Limitations
External AWS Account service only supports one IAM Role attribute mapping per application instance. So, you would have to create multiple External AWS Account application instances to use multiple roles.
Setup instructions
- On the Configure page, in the Details section, fill in the Display name and the Description(optional) of the application.
Note
We suggest that you choose a unique display name if you plan to have more than one of the same application.
-
Download the IAM Identity Center SAML metadata and save it. Choose Save Changes.
-
In the External AWS account, Create a SAML Identity provider in IAM console and upload the metadata file that was download earlier.
-
In the External AWS account, Create an IAM policy for allowing access as required by your use case. This policy will define the permissions that this IAM role will have in the External AWS Account.
-
In the External AWS account, Create an IAM role for SAML Federation trusting the new SAML Identity provider, and attach this new policy. You can attach multiple policies as well.
-
Go back to the IAM Identity Center console page where you configured the Application.
-
Choose Attribute Mappings tab. Click on Add a new attribute mapping. Add following attributes for the Role:
| Field | Value | Format |
|---|---|---|
| https://aws.amazon.com/SAML/Attributes/Role | arn:aws:iam::ACCOUNTID:saml-provider/SAMLPROVIDERNAME,arn:aws:iam::ACCOUNTID:role/ROLENAME | unspecified |
| https://aws.amazon.com/SAML/Attributes/RoleSessionName | <ROLE_SESSION_NAME> must match [a-zA-Z_0-9+=,.@-]{2,64} | unspecified |
- Assign a user to the application in IAM Identity Center.
Verification
Use the following sections to verify the SSO integration.
Note
Ensure that the user performing the verification is logged out of both IAM Identity Center and the application before performing the steps in each section.
Verifying SSO from IAM Identity Center
-
Access the AWS access portal using the credentials of a user assigned to the External AWS Account application.
-
In the list of applications, choose External AWS Account to initiate a login to External AWS Account.
-
If login was successful you will be signed-in to the External AWS Account network.
Note
External AWS Account does not support SP initiated SSO.
Troubleshooting
If sign in was not successful, please see the troubleshooting steps.
Troubleshooting
| Error | Issue | Solution |
|---|---|---|
| Access Denied | The Attribute Value containing Role name, SAML provider name might be incorrect | Copy the ARNs for SAML provider and Role name and check exact case sensitive match |
| Invalid SAML response | The metadata uploaded to the SAML provider is incorrect | Download the metadata from the correct application instance and upload it to the SAML provider in the account. |
For general troubleshooting problems, please refer to Troubleshooting Guide.
User Provisioning Types
There are two user provisioning you need to aware of:
-
Preprovisioned users
Preprovisioned users, means users must already exist in the downstream SaaS application. For instance, you may need to create SaaS users with the same subject as the AD users.
-
JIT users
JIT (or Just-In-Time) users, means users do not necessarily exist in the downstream SaaS application, and will be provisioned/created/registered the first time the user federates. You may need to enable JIT option in your SaaS application for the AD domain.