• Home
• App Integrations
• Single Sign-On Integrations
• AWS Single Sign-On

AWS Single Sign-On | AWS SSO SAML Service for your account

---

Amazon Web Service (AWS) Single Sign-on (SSO) service is a cloud based Single Sign-On (SSO) solution which provides a simplified and secure access for users/groups to Amazon web services and full access to multiple cloud Applications along with AWS management console with one set of login credentials. Specifically, it helps you manage SSO access and user permissions across all your AWS accounts as well as custom applications that support Security Assertion Markup Language (SAML) 2.0.
miniOrange provides secure access to AWS SSO via the miniOrange Identity Provider (IDP) wherein users and groups can be authenticated, thus providing seamless access to your AWS resources.

With miniOrange AWS SSO, you can:

• Single Sign-on into all cloud and onpremise applications along with AWS accounts
• Have centralized and easy access control of the users
• Connect easily with any external identity source like Microsoft Entra ID, ADFS, Cognito, etc

miniOrange AWS Single Sign-On (SSO) supports the following flows:

• SP (Service Provider) Initiated Single Sign-On (SSO)

In this flow, a person tries to login to the Serivce Provider (AWS account) directly. The request is redirected to the Identity Provider for authentication. On sucessfull authentication from the Identity provider, the person is given access to the application (AWS account).

• IdP (Identity Provider) Initiated Single Sign-On (SSO)

In this flow, a person logs in to the Identity Provider using his credentials. Now the person can access any of the configured Service Providers (AWS account, etc.) through the Identity Provider Dashboard without having to enter the credentials agian.

Prerequistes for setting SSO for AWS accounts:

You will need the following pre requisites to setup SSO for AWS organization:

1. AWS organization admin account.

2. Set up AWS organization service.

3. Download the signed certificate from the AWS console or organization.

Follow the step-by-step guide given below for AWS Single Sign-On (SSO)

1. Configure AWS SSO Service

• Log into the AWS console.
• On the AWS dashboard, click on Services.
• Under the Security, Identity and Compliance section, select IAM Identity Center.



• Select Choose your Identity Source.



• Under the Action menu, click on Change Identity source from the dropdown.



• Select the External Identity Provider under the Choose Identity Source heading.



• Click on Download Metadata to download an XML metadata file. You can also directly copy the ACS and SSO issuer URL from below.

2. Configure AWS in miniOrange

• Login into miniOrange Admin Console.
• Go to Apps and click on Add Application button.



• In Choose Application, select SAML/WS-FED from the application type dropdown.



• Search for AWS in the list, if you don't find AWS in the list then, search for custom and you can set up your application in Custom SAML App.

• Upload the XML metadata section from AWS in miniOrange Dashboard using the Import SP Metadata feature.. To import metadata, select the SP Metadata type as File and upload the XML file in the field as shown below..



• Click on Next to proceed further.



• In the Attribute Mapping tab, make sure that the NameID format is configured as email address as shown in the image below.



• Click on Save.

Get IdP Metadata Details to upload to AWS Console:

• Go to Apps >> Manage Apps.
• Search for your app and click on the select in action menu against your app.
• Click on Metadata to get metadata details, which will be required later. Click on Show SSO Link to see the IDP initiated SSO link for AWS.



• Here you will see 2 options, if you are setting up miniOrange as IDP copy the meta details related to miniOrange, if you required to be authenticated via external IDP's (OKTA, Microsoft Entra ID, ADFS, ONELOGIN, GOOGLE APPS) you can get metadata from the 2nd Section as shown below.



• Click on the Download metadata button to download the metadata file which you will require further to setup SSO in AWS Console.



• Go back to the AWS Console. Now, from the AWS console from where you downloaded the XML file, click on the Choose File button under Identity Provider Metadata, and upload the metadata file you downloaded in the previous step from the miniOrange Dashboard.



• Accept the terms and click on Change Identity Source.



• Now under the Identity Source field, you can find the link under AWS Access Portal URL. Use this link for AWS SSO.

3. Test SSO Configuration

Test SSO login to your AWS account with miniOrange IdP:

Using SP Initiated Login

• Go to your AWS URL, here you will be either asked to enter the username or click on the SSO link which will redirect you to miniOrange IdP Sign On Page.



• Enter your miniOrange login credential and click on Login. You will be automatically logged in to your AWS account. Click on Management console to SSO into AWS console.




Using IDP Initiated Login

• Login to miniOrange IdP using your credentials.



• On the Dashboard, click on the AWS application which you have added, to verify SSO configuration.





Not able to configure or test SSO?


Contact us or email us at idpsupport@xecurify.com and we'll help you setting it up in no time.

4. Test SSO Configuration using CLI

Test SSO login to your AWS account using with miniOrange IdP:

• Initiate SSO authentication from CLI



• Then, you will be either asked to enter the username or click on the SSO link which will redirect you to miniOrange IdP Sign On Page.



• You’re authorized to AWS accounts and roles.





Not able to configure or test SSO?


Contact us or email us at idpsupport@xecurify.com and we'll help you setting it up in no time.

Troubleshooting

External References

• Single Sign-On (SSO)
• Know more about SAML SSO
• AWS Integration with miniOrange
• AWS IAM SAML Single Sign-On (SSO)
• Creating SAML Identity Providers