Configure Single Sign-On for AWS Part 1: Basic Setup
Brien explains single sign-on (SSO) features that you can use to simplify the process of user access to applications.
Managing user identities is often difficult for organizations that make third-party applications available to users through the AWS Cloud. A user could. for example, sign in using an Active Directory account, but must use a separate AWS IAM account to access a cloud application.
Fortunately, AWS offers single sign-on (SSO) features that you can use to simplify the process of user access to applications. In this series of articles, I will show you the basic steps involved in setting up SSO. However, the steps required in real life vary depending on the identity provider used and the applications used by an organization.
To get started, open the AWS Single Sign-On service (it’s in the list of services in the Security, Identity, and Compliance section). Figure 1 shows what the AWS Single Sign On dashboard looks like.
The figure above would lead you to believe that at a high level there are three steps required to configure single sign-on. However, there is actually a fourth stage which is not shown in the figure. When you first open the console, you’ll be prompted to click a button to enable single sign-on (assuming you’ve never used it before). The rest of this article assumes you’ve completed this initial step.
Choose your identity source
The first “real” step in the setup process is choosing your identity source. For the purposes of this blog series, I will be using Amazon Directory Service, which I have configured as a Microsoft Active Directory environment. However, this is not the only option.
Click the Choose your Identity Source link and you will be taken to the Settings page, with the Identity Source tab selected. Now select the Change Identity Source command from the Actions drop-down menu as shown in Figure 2.
At this point, you will be taken to a screen asking you to choose your identity source. You can choose between AWS SSO, Active Directory, and an external identity provider, as shown in picture 3. The remaining configuration options vary depending on the options you choose.
Assuming you choose to use an Active Directory as your identity source like I do, you would make your selection and then click Next. From there, you will be taken to a screen that prompts you to choose your directory. This raises an important point. If you want to use an Active Directory environment as your identity source, your AWS account will need to know that your Active Directory exists. If you don’t see your Active Directory environment listed, you’ll need to make sure to configure AWS Directory Service accordingly. Keep in mind that the directory service and the AWS SSO service are region-specific, so you’ll need to ensure that your Active Directory environment exists in the same region as the AWS SSO service.
After selecting your Active Directory, click Next and you will be taken to the Confirm Change screen. There are countless situations in the Amazon cloud where you’ll perform an action and then be taken to a summary screen that gives you the chance to review your settings before continuing. If you have a lot of experience working with AWS, you might be used to ignoring these summary screens, as I often do. However, this particular summary screen is important. Changing the identity source has serious consequences, so be absolutely sure to take the time to read the Verify and confirm section, which you can see in Figure 4. Simply put, your existing SSO environment (if you have one) will cease to exist. If you want to move forward. then type the word ACCEPT in the space provided and click the Edit Identity Source button.
As soon as you click the Change Identity Source button, AWS gets to work removing your old identity source and provisioning SSO to use your new identity source. This process may take several minutes and you may need to refresh the console to confirm that the process is complete. Now is the time to move on to Step 2, which is to grant your users and groups access to specific AWS accounts and roles within your organization. I’ll show you how to do steps 2 and 3 in Part 2 of this series.
Brien Posey is a 20-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of computing topics. Prior to going freelance, Posey was CIO for a national chain of hospitals and healthcare facilities. He has also served as a network administrator for some of the nation’s largest insurance companies and for the Department of Defense at Fort Knox. In addition to his ongoing work in computing, Posey has spent the past several years actively training as a commercial scientist-astronaut candidate in preparation for flying on a polar mesospheric cloud survey mission. from space. You can follow his spaceflight training on his Website.