AWS IAM Identity Center (successor to AWS SSO) Integration Guide for External AWS Account

Introduction

This document helps you configure IAM Identity Center to facilitate single sign-on (SSO) for External AWS Account (AWS account outside your Organization) using SAML.

Topics

• Prerequisites

• Setup instructions

• Verification

• Troubleshooting

Prerequisites

You'll need the following to set up SSO access to External AWS Account:

• Access to the IAM Identity Center console with permissions to manage applications.

• An External AWS Account outside your Organization with admin permissions for AWS IAM.

• External AWS Account does not support SP initiated SSO.

Limitations

External AWS Account service only supports one IAM Role attribute mapping per application instance. So, you would have to create multiple External AWS Account application instances to use multiple roles.

Setup instructions

1. On the Configure page, in the Details section, fill in the Display name and the Description(optional) of the application.

Note

We suggest that you choose a unique display name if you plan to have more than one of the same application.

2. Download the IAM Identity Center SAML metadata and save it. Choose Save Changes.

3. In the External AWS account, Create a SAML Identity provider in IAM console and upload the metadata file that was download earlier.

4. In the External AWS account, Create an IAM policy for allowing access as required by your use case. This policy will define the permissions that this IAM role will have in the External AWS Account.

5. In the External AWS account, Create an IAM role for SAML Federation trusting the new SAML Identity provider, and attach this new policy. You can attach multiple policies as well.

6. Go back to the IAM Identity Center console page where you configured the Application.

7. Choose Attribute Mappings tab. Click on Add a new attribute mapping. Add following attributes for the Role:

Field	Value	Format
https://aws.amazon.com/SAML/Attributes/Role	arn:aws:iam::ACCOUNTID:saml-provider/SAMLPROVIDERNAME,arn:aws:iam::ACCOUNTID:role/ROLENAME	unspecified
https://aws.amazon.com/SAML/Attributes/RoleSessionName	<ROLE_SESSION_NAME> must match [a-zA-Z_0-9+=,.@-]{2,64}	unspecified

8. Assign a user to the application in IAM Identity Center.

Verification

Use the following sections to verify the SSO integration.

Note

Ensure that the user performing the verification is logged out of both IAM Identity Center and the application before performing the steps in each section.

Verifying SSO from IAM Identity Center

1. Access the AWS access portal using the credentials of a user assigned to the External AWS Account application.

2. In the list of applications, choose External AWS Account to initiate a login to External AWS Account.

3. If login was successful you will be signed-in to the External AWS Account network.

Note

External AWS Account does not support SP initiated SSO.

Troubleshooting

If sign in was not successful, please see the troubleshooting steps.

Troubleshooting

Error	Issue	Solution
Access Denied	The Attribute Value containing Role name, SAML provider name might be incorrect	Copy the ARNs for SAML provider and Role name and check exact case sensitive match
Invalid SAML response	The metadata uploaded to the SAML provider is incorrect	Download the metadata from the correct application instance and upload it to the SAML provider in the account.

For general troubleshooting problems, please refer to Troubleshooting Guide.

User Provisioning Types

There are two user provisioning you need to aware of:

• Preprovisioned users

  Preprovisioned users, means users must already exist in the downstream SaaS application. For instance, you may need to create SaaS users with the same subject as the AD users.

• JIT users

  JIT (or Just-In-Time) users, means users do not necessarily exist in the downstream SaaS application, and will be provisioned/created/registered the first time the user federates. You may need to enable JIT option in your SaaS application for the AD domain.