Single Sign-On (SSO) is a concept where a user authenticates and can access multiple applications without having to log in to those other applications. This is pretty common within enterprises so users don’t have to log in to all of the applications they use every day.
According to Techopedia.com, the advantages of using SSO are:
- Eliminating credential reauthentication and help desk requests; thus, improving productivity.
- Streamlining local and remote applications and desktop workflow.
- Minimizing phishing.
- Improving compliance through a centralized database.
- Providing detailed user access reporting.
By maintaining a centralized user database, it is also easier to remove access when a user leaves the company by invalidating their SSO credentials. SSO authentication can be extended by adding an authorization database, where authorizations for specific application access and privileges are stored. This authorization database can be used for ongoing access management and control what privileges the user is permitted within an application.
Many enterprises use applications like Computer Associates’ SiteMinder (now known as Layer7 SiteMinder) or similar products to provide SSO support for their on-premise applications.
What is AWS SSO
AWS SSO is a cloud-based SSO service to easily manage access to all of the accounts configured in your AWS Organization. For a discussion about AWS Organizations, see my Medium article.
Using AWS SSO eliminates the need for operating your own SSO infrastructure. It easily manages your AWS Organizations account access, can integrate with many third-party applications, and it provides a Security Assertion Markup Language (SAML) configuration tool to extend AWS SSO to any SAML enabled application.
Setting up SSO AWS
By default, AWS SSO provides a directory to store your user information and credentials. If your organization already has a Microsoft Active Directory service in use, you can connect AWS SSO, eliminating the need to maintain two directories.
To set up AWS SSO, you will need to: — configure AWS Organizations and associate the accounts you want to grant access to through AWS SSO; — enable AWS SSO in AWS Organizations; — verify you have the required permissions to set up AWS SSO.
This article is not going to cover every aspect of these requirements. There is an excellent AWS Blog post which goes into much more detail than is covered in this Five Minute Overview.
Enabling AWS SSO
To enable AWS SSO, open the AWS Console and navigate to AWS Organizations.
Once on the AWS Organizations page, click on Settings on the right side of the page. This shows the AWS services you can enable.
Scroll down to AWS Single Sign-On, and if not enabled, click on the “Enable” button. Once enabled, click on AWS Single Sign-On, to go to the setup page for AWS SSO.
We have to work through each of the steps on the setup page.
Configuring the Directory
As mentioned, AWS SSO provides a directory for your configuration, although you can change the directory if you already have an organizational Active Directory you would like to connect.
From this page, you can define the users who can log in through the AWS SSO service.
As you add users, enter their details such as email address, name, etc. You can choose to either give them instructions to create their password or set a one time password which they will change when they log in. In this example, the user will get instructions to set their password.
When you are finished entering the user’s details, click on the “Groups” button. At this point, you can create new groups and assign the user to the group.
When the user is created and you choose to send them information on how to join the AWS SSO environment, they will receive an email like this one with instructions on how to proceed. Clicking on the “Accept Invitation” button takes the user to this page, where they are prompted to enter a new password.
After entering their new password, the user receives an acknowledgment and the URL they will use to sign in using AWS SSO.
All we have done at this point is add the user to the directory. If they try to log in at this point, they will see a view like the following:
Indicating they can’t do anything yet.
Allowing Access to Accounts
We have to configure AWS SSO so it knows what accounts can be accessed. We do this by going to the Accounts page and selecting the accounts. We can then assign a group or user for that access.
After choosing to add a user or group, you have to assign a permission set. A permission set defines the access a user or group within an AWS account. If a user is a member of more than one permissions set, they will have to select which one they want when they log in. This is to help with enforcing the principle of least privilege. In our example, we are going to add a permission set called “AdministratorAccess”, as our user is a member of the Administrators group.
After defining the permission set, AWS SSO configures all of the selected accounts with permission set.
Here we see that three of the four accounts have had the permission set provisioned. The last account hasn’t been completely provisioned, and therefore the permission set was not applied.
We now have two permission sets applied to our accounts.
Now that we have our users added and associated with a group, permission sets associated with accounts and users, we can move on. At this point, we can add SAML enabled applications, either from the list of available applications or by defining a custom application.
Our user, however, now has a different view when they attempt to login using AWS SSO.
Our user can now select the account and permissions they have been granted for that account.
Our user has access to four accounts — three with administrator rights and one read-only. The user can now log in to access the console or get programmatic and command-line access.
From the settings page, we can define Two-Step verification when users must authenticate to AWS SSO. There are three possible options:
- Disabled — Two-Step Verification is disabled.
- Context-Aware — AWS SSO attempts to determine if the user’s context changes. This happens when the user is attempting to login from a device for the first time, or from a new location. AWS SSO makes the determination if the two-step verification is required, and prompts the user for the second step.
- Always-On — When this setting is on, two-step verification must be completed by every user, every time they authenticate to AWS SSO.
The Context-Aware and Always-On settings enable two-step verification. When this is enabled, the user receives a verification code via their verified email address, which they use to complete the login process.
Be careful setting up two-step verification. If your users must first log in to AWS SSO before they can access their email, adding two-step verification will prevent them from logging in.
AWS SSO is a convenient way of integrating Single Sign-On into your existing SAML applications and access to AWS accounts and services. It has pre-defined integrations for more than 275 applications as of October 9, 2019.
With its ability to connect to an existing Microsoft Article Directory, AWS SSO is an alternative to other Single Sign-On solutions.
If you liked this article, check out my other AWS Security related articles on Medium.
About the Author
Chris is a highly-skilled Information Technology AWS Cloud, Training and Security Professional bringing cloud, security, training and process engineering leadership to simplify and deliver high-quality products. He is the co-author of more than seven books and author of more than 70 articles and book chapters in technical, management and information security publications. His extensive technology, information security, and training experience makes him a key resource who can help companies through technical challenges.
This article is Copyright © 2019, Chris Hare.