Configure Single Sign On for AWS, Part 1: Basic Setup

Brien explains Single Sign On (SSO) capabilities that you can use to simplify the process of users accessing applications.

Managing user identities is often challenging for organizations that make third-party applications available to users through the AWS cloud. A user might. for example, log on using an Active Directory account but have to use a separate AWS IAM account to access a cloud application.

Fortunately, AWS offers Single Sign On (SSO) capabilities that you can use to simplify the process of users accessing applications. In this article series, I will show you the basic steps involved in setting up SSO. However, the steps required in real life will vary based on the identity provider used and on the applications that an organization is using.

To get started, open the AWS Single Sign-On Service (it's found on the list of services in the Security, Identity and compliance section). Figure 1 shows what the AWS Single Sign On Dashboard looks like.

Figure 1: This is the AWS Single Sign On Dashboard.
[Click on image for larger view.] Figure 1: This is the AWS Single Sign On Dashboard.

The figure above would lead you to believe that at a high level, there are three steps required to configure Single Sign On. Actually however, there is a fourth step that is not shown in the figure. When you open the console for the first time, you will be prompted to click a button to enable Single Sign On (assuming that you have never used it before). The remainder of this article assumes that you have completed this initial step.

Choose Your Identity Source
The first "real" step in the configuration process is to choose your identity source. For the purposes of this blog series, I will be using the Amazon Directory Service, which I have configured as a Microsoft Active Directory environment. However, this is not the only option.

Click on the Choose Your Identity Source link and you will be taken to the Settings page, with the Identity Source tab selected. Now, select the Change Identity Source command from the Actions drop down, as shown in Figure 2.

Figure 2: Choose the Change Identity Source option from the Actions menu.
[Click on image for larger view.] Figure 2: Choose the Change Identity Source option from the Actions menu.

At this point, you will be taken to a screen that asks you to choose your identity source. You can choose between AWS SSO, Active Directory, and an external identity provider, as shown in Figure 3. The remaining configuration options vary depending on which options you choose.

Figure 3: Choose your identity source.
[Click on image for larger view.] Figure 3: Choose your identity source.

Assuming that you choose to use an Active Directory as an identity source as I am doing, you would make your selection and then click Next. From there, you will be taken to a screen that prompts you to choose your directory. This brings up an important point. If you want to use an Active Directory environment as an identity source then your AWS account will need to know that your Active Directory exists. If you don't see your Active Directory environment listed then you will need to make sure to configure the AWS Directory Service service accordingly. Keep in mind that both the Directory Service service and the AWS SSO service are region specific, so you will need to make sure that your Active Directory environment exists in the same region as the AWS SSO service.

After you have selected your Active Directory, click Next and you will be taken to the Confirm Change screen. There are countless situations in the Amazon cloud where you will perform an action and then be taken to a summary screen that gives you the chance to review your settings before continuing. If you have a lot of experience working with AWS, then you may be in the habit of ignoring these summary screens, just as I often do. However, this particular summary screen is important. There are serious consequences to changing the identity source, so make absolutely sure that you take the time to read the Review and Confirm section, which you can see in Figure 4. Simply put, your existing SSO environment (if you have one) will cease to exist. If you want to move forward. then type the word ACCEPT in the space provided and click the Change Identity Source button.

Figure 4:There can be serious consequences to changing your identity source, so make sure that you read and understand the warnings before continuing.
[Click on image for larger view.] Figure 4: There can be serious consequences to changing your identity source, so make sure that you read and understand the warnings before continuing.

As soon as you click the Change Identity Source button, AWS will go to work removing your old identity source and provisioning SSO to use your new identity source. This process can take several minutes to complete and you may have to refresh the console to confirm that the process has finished. Now it's time to move on to Step 2, which is where you give your users and groups access to specific AWS accounts and roles within your organization. I will show you how to perform steps 2 and 3 in Part 2 of this series.

About the Author

Brien Posey is a 20-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.

Featured