AWS Single Sign-On (AWS SSO) Integration Guide for External AWS Account

Introduction

This document helps you configure AWS SSO to facilitate single sign-on (SSO) for External AWS Account (AWS account outside your Organization) using SAML.

Topics

Prerequisites

You'll need the following to set up SSO access to External AWS Account:

Limitations

External AWS Account service only supports one IAM Role attribute mapping per application instance. So, you would have to create multiple External AWS Account application instances to use multiple roles.

Setup instructions

  1. On the Configure page, in the Details section, fill in the Display name and the Description(optional) of the application.

Note

We suggest that you choose a unique display name if you plan to have more than one of the same application.

  1. Download the AWS SSO SAML metadata and save it. Choose Save Changes.

  2. Create a SAML Identity provider in IAM console and upload the metadata file that was download earlier.

  3. Create an IAM policy for allowing access as required by your use case. This policy will define the permissions that this IAM role will have in the External AWS Account.

  4. Create an IAM role for SAML Federation trusting the new SAML Identity provider, and attach this new policy. You can attach multiple policies as well.

  5. Go back to the AWS SSO console page where you configured the Application.

  6. Choose Attribute Mappings tab. Click on Add a new attribute mapping. Add an attribute for the Role.

Field Value Format
https://aws.amazon.com/SAML/Attributes/Role arn:aws:iam::ACCOUNTID:saml-provider/SAMLPROVIDERNAME,arn:aws:iam::ACCOUNTID:role/ROLENAME unspecified
  1. Assign a user to the application in AWS SSO.

Verification

Use the following sections to verify the SSO integration.

Note

Ensure that the user performing the verification is logged out of both AWS SSO and the application before performing the steps in each section.

Verifying SSO from AWS SSO

  1. Access the AWS SSO end user portal using the credentials of a user assigned to the External AWS Account application.

  2. In the list of applications, choose External AWS Account to initiate a login to External AWS Account.

  3. If login was successful you will be signed-in to the External AWS Account network.

Note

External AWS Account does not support SP initiated SSO.

Troubleshooting

If sign in was not successful, please see the troubleshooting steps.

Troubleshooting

Error Issue Solution
Access Denied The Attribute Value containing Role name, SAML provider name might be incorrect Copy the ARNs for SAML provider and Role name and check exact case sensitive match
Invalid SAML response The metadata uploaded to the SAML provider is incorrect Download the metadata from the correct application instance and upload it to the SAML provider in the account.

For general troubleshooting problems, please refer to Troubleshooting Guide.

User Provisioning Types

There are two user provisioning you need to aware of: