Skip to content

AWS IAM Identity Center Single Sign-On Example (SAML)

AWS IAM Identity Center (formerly AWS SSO) is a centralized identity management service provided by AWS. It supports Single Sign-On (SSO) to uniformly manage user access to multiple AWS accounts, cloud applications (such as Salesforce, GitHub), and hybrid cloud resources.

Note

The SAML 2.0 Single Sign-On feature of AWS IAM Identity Center is only available on AWS International sites.

1. Enable IAM Identity Center

In this example, it is assumed that the user account logging into the AWS platform has never used the IAM Identity Center service before, and this is its first time using it.

  1. Log in to the AWS console.
  2. In the search bar, enter IAM Identity Center.
  3. Click "Enable".

Note
  • When enabling IAM Identity Center, pay attention to the region selection in the top navigation bar of the console. Once the service is enabled, you cannot directly switch regions; you must re-enable it in a new region and reconfigure all settings.
  • If your organization already has an AWS master management region (such as us-east-1 or ap-northeast-1), it is recommended to keep it consistent for unified management.

2. Create a Custom SAML 2.0 Application

On the application management page, select "Custom", and click "Add application".

Why choose 'Custom'
Option Applicable Scenario
AWS Managed Third-party SaaS applications pre-integrated by AWS (e.g., Salesforce, Slack, Zoom, etc.). AWS automatically provides metadata and configuration templates.
Custom Third-party platforms that require manual SAML configuration (non-AWS pre-integrated applications, such as the example object "TrueWatch platform" in this article), where you need to provide SAML metadata or ACS URL yourself.
  1. Select the application type as "I want to set up an application".
  2. Continue to select SAML 2.0 and proceed to the next step.

Configure the Application

  1. Define the display name for this application, such as gc.
  2. Enter a description as needed.
  3. Under "IAM Identity Center metadata", click to download the IAM Identity Center SAML metadata file and certificate.
  4. For the application metadata, select "Upload application SAML metadata file", and choose the metadata file downloaded from TrueWatch here.
  5. Submit the current configuration.
  6. The page will prompt that the application was successfully added.

3. Edit Attribute Mappings

Attribute mapping is the core configuration of SAML integration, used to pass AWS user attributes to TrueWatch.

After returning to the application details page, click Actions > Edit attribute mappings in the upper right corner of the page. Here, you configure the mapping relationship between the AWS user login identity and the TrueWatch role identity.

  1. The system provides the Subject field (user unique identifier) by default; choose to map it to ${user:email}.
  2. After configuration is complete, click "Save changes".

Additional Role Attributes

  1. Define the user or group attributes that need to be mapped to the role; here, the email and familyName fields are used.
  2. Define the attribute mapped to this string value as $(user:email} and $(user:familyName} respectively.
  3. Save the current changes.
  4. Subsequently, go to TrueWatch to configure role mapping.

4. Assign User and Group Access Permissions

The users and groups you create in the Identity Center directory are only available within IAM Identity Center. Permissions can be assigned to them later. In this example, it is assumed by default that no users or groups have been added to the current directory.

Step 1: Add a User

  1. Go to the console > Users page.
  2. Click "Add user".
  3. Define a username, choose how the user receives the password, and enter the email, first name, last name, and display name.
  4. Proceed to the next step.

Note: The username, password, and email entered here are necessary configurations for the subsequent single sign-on by this user.

Step 2: Add the User to a Group

  1. If there are no groups in the current directory, use the creation entry on the right.
  2. Define a group name.
  3. Click the "Create" button in the lower right corner.
  4. Return to the Add User page, select this group, and proceed to the next step.
  5. Confirm adding this user. A status message will notify you that you have successfully added the user.

Step 3: Assign Users and Groups to the Application

  1. Go to the application, select the configured program (the example here is gc configured above), and assign users and groups to it.
  2. Search for and check all users and groups that need permission assignments.
  3. After review, the assignment can be created successfully.

5. Create a User SSO Identity Provider in TrueWatch

  1. Log in to the TrueWatch Workspace > Manage > Member Management > User SSO.
  2. Select SAML.
  3. Click "Add identity provider" to start configuration.
  4. Define the identity provider name as aws_sso.
  5. Upload the metadata document downloaded during application configuration.
  6. Define the access restriction email.
  7. Select the role and session duration.
  8. Click "Confirm".

For more configuration details here, refer to SSO Management.

6. Login Verification

  1. Log in to the TrueWatch Single Sign-On page: https://auth.truewatch.com/login/sso.
  2. Select the application created on the AWS side from the list.
  3. Login address.
  4. Enter the username and password.
  5. You can then log in successfully.