A Five Minute Overview of AWS Single Sign-On

Single Sign-On (SSO) is a concept where a user authenticates and can access multiple applications without having to log in to those other applications. This is pretty common within enterprises so users don’t have to log in to all of the applications they use every day.

According to Techopedia.com, the advantages of using SSO are:

  • Eliminating credential reauthentication and help desk requests; thus, improving productivity.

By maintaining a centralized user database, it is also easier to remove access when a user leaves the company by invalidating their SSO credentials. SSO authentication can be extended by adding an authorization database, where authorizations for specific application access and privileges are stored. This authorization database can be used for ongoing access management and control what privileges the user is permitted within an application.

Many enterprises use applications like Computer Associates’ SiteMinder (now known as Layer7 SiteMinder) or similar products to provide SSO support for their on-premise applications.

What is AWS SSO

AWS SSO is a cloud-based SSO service to easily manage access to all of the accounts configured in your AWS Organization. For a discussion about AWS Organizations, see my Medium article.

Using AWS SSO eliminates the need for operating your own SSO infrastructure. It easily manages your AWS Organizations account access, can integrate with many third-party applications, and it provides a Security Assertion Markup Language (SAML) configuration tool to extend AWS SSO to any SAML enabled application.

Setting up SSO AWS

By default, AWS SSO provides a directory to store your user information and credentials. If your organization already has a Microsoft Active Directory service in use, you can connect AWS SSO, eliminating the need to maintain two directories.

To set up AWS SSO, you will need to: — configure AWS Organizations and associate the accounts you want to grant access to through AWS SSO; — enable AWS SSO in AWS Organizations; — verify you have the required permissions to set up AWS SSO.

This article is not going to cover every aspect of these requirements. There is an excellent AWS Blog post which goes into much more detail than is covered in this Five Minute Overview.

Enabling AWS SSO

To enable AWS SSO, open the AWS Console and navigate to AWS Organizations.

Image for post

Once on the AWS Organizations page, click on Settings on the right side of the page. This shows the AWS services you can enable.

Scroll down to AWS Single Sign-On, and if not enabled, click on the “Enable” button. Once enabled, click on AWS Single Sign-On, to go to the setup page for AWS SSO.

Image for post

We have to work through each of the steps on the setup page.

Image for post

Configuring the Directory

As mentioned, AWS SSO provides a directory for your configuration, although you can change the directory if you already have an organizational Active Directory you would like to connect.

Image for post

From this page, you can define the users who can log in through the AWS SSO service.

Image for post

As you add users, enter their details such as email address, name, etc. You can choose to either give them instructions to create their password or set a one time password which they will change when they log in. In this example, the user will get instructions to set their password.

Image for post

When you are finished entering the user’s details, click on the “Groups” button. At this point, you can create new groups and assign the user to the group.

Image for post

When the user is created and you choose to send them information on how to join the AWS SSO environment, they will receive an email like this one with instructions on how to proceed. Clicking on the “Accept Invitation” button takes the user to this page, where they are prompted to enter a new password.

Image for post

After entering their new password, the user receives an acknowledgment and the URL they will use to sign in using AWS SSO.

All we have done at this point is add the user to the directory. If they try to log in at this point, they will see a view like the following:

Image for post

Indicating they can’t do anything yet.

Allowing Access to Accounts

We have to configure AWS SSO so it knows what accounts can be accessed. We do this by going to the Accounts page and selecting the accounts. We can then assign a group or user for that access.

Image for post

After choosing to add a user or group, you have to assign a permission set. A permission set defines the access a user or group within an AWS account. If a user is a member of more than one permissions set, they will have to select which one they want when they log in. This is to help with enforcing the principle of least privilege. In our example, we are going to add a permission set called “AdministratorAccess”, as our user is a member of the Administrators group.

Image for post

After defining the permission set, AWS SSO configures all of the selected accounts with permission set.

Image for post

Here we see that three of the four accounts have had the permission set provisioned. The last account hasn’t been completely provisioned, and therefore the permission set was not applied.

We now have two permission sets applied to our accounts.

Now that we have our users added and associated with a group, permission sets associated with accounts and users, we can move on. At this point, we can add SAML enabled applications, either from the list of available applications or by defining a custom application.

Our user, however, now has a different view when they attempt to login using AWS SSO.

Image for post

Our user can now select the account and permissions they have been granted for that account.

Our user has access to four accounts — three with administrator rights and one read-only. The user can now log in to access the console or get programmatic and command-line access.

Two-Step Verification

From the settings page, we can define Two-Step verification when users must authenticate to AWS SSO. There are three possible options:

  1. Disabled — Two-Step Verification is disabled.

The Context-Aware and Always-On settings enable two-step verification. When this is enabled, the user receives a verification code via their verified email address, which they use to complete the login process.

WARNING:

Be careful setting up two-step verification. If your users must first log in to AWS SSO before they can access their email, adding two-step verification will prevent them from logging in.

Conclusion

AWS SSO is a convenient way of integrating Single Sign-On into your existing SAML applications and access to AWS accounts and services. It has pre-defined integrations for more than 275 applications as of October 9, 2019.

With its ability to connect to an existing Microsoft Article Directory, AWS SSO is an alternative to other Single Sign-On solutions.

If you liked this article, check out my other AWS Security related articles on Medium.

A Five Minute Overview of AWS Shield

A Five Minutes Overview of AWS Macie

A Five Minute Overview of AWS Inspector

A Five Minute Overview of AWS Guard Duty

A Five Minute Overview of AWS Security Hub

References

AWS Single Sign On

Computer Associates Layer7 SiteMinder

How to Create and Manage Users in AWS Single Sign On

Single Sign On — Techopedia

About the Author

Chris is a highly-skilled Information Technology AWS Cloud, Training and Security Professional bringing cloud, security, training and process engineering leadership to simplify and deliver high-quality products. He is the co-author of more than seven books and author of more than 70 articles and book chapters in technical, management and information security publications. His extensive technology, information security, and training experience makes him a key resource who can help companies through technical challenges.

Copyright

This article is Copyright © 2019, Chris Hare.

Written by

Chris is the co-author of seven books and author of more than 70 articles and book chapters in technical, management, and information security publications.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store