Skip to content

Example of Single Sign-On via AWS IAM Identity Center (SAML)

AWS IAM Identity Center (formerly AWS SSO) is a centralized identity management service provided by AWS, supporting Single Sign-On (SSO) to manage user access to multiple AWS accounts, cloud applications (such as Salesforce, GitHub), and hybrid cloud resources.

Note

The SAML 2.0 Single Sign-On feature of AWS IAM Identity Center is only available on AWS International sites.

1. Enable IAM Identity Center

In this example, assume the user account logging into the AWS platform has never used the IAM Identity Center service before, and this is their first time using it.

  1. Log in to the AWS console;
  2. In the search bar, enter IAM Identity Center;
  3. Click "Enable".

Note
  • When enabling IAM Identity Center, pay attention to the region selection in the top navigation bar of the console. Once enabled, you cannot directly switch regions; you need to re-enable and reconfigure all settings in the new region;
  • If your organization already has an AWS primary management region (such as us-east-1 or ap-northeast-1), it is recommended to keep it consistent for unified management.

2. Create a Custom SAML 2.0 Application

On the application management page, select "Custom" and click "Add application".

Why choose 'Custom'
Option Use Cases
AWS Managed Third-party SaaS applications pre-integrated by AWS (such as Salesforce, Slack, Zoom, etc.). AWS automatically provides metadata and configuration templates.
Custom Third-party platforms that require manual SAML configuration (non-AWS pre-integrated applications, such as the example object "TrueWatch platform" in this article), where you need to provide SAML metadata or ACS URL yourself.
  1. Select the application type as "I want to set up an application";
  2. Continue to select SAML 2.0 and proceed to the next step.

Configure Application

  1. Define the display name of the application, such as gc;
  2. Enter a description as needed;
  3. Under "IAM Identity Center Metadata", click to download the IAM Identity Center SAML metadata file and certificate;
  4. In the application metadata, select "Upload application SAML metadata file", and choose the metadata file downloaded from TrueWatch;
  5. Submit the current configuration;
  6. The page will prompt that the application has been successfully added.

3. Edit Attribute Mapping

Attribute mapping is the core configuration of SAML integration, used to pass AWS user attributes to TrueWatch.

Return to the application details page, click Options > Edit Attribute Mapping in the upper right corner of the page, and configure the mapping relationship between the AWS user login identity and the role identity of TrueWatch.

  1. The system provides the Subject field (user unique identifier) by default, select to map it to ${user:email};
  2. After configuration, click Save Changes.

Additional Role Attributes

  1. Define the user or group attributes to be mapped to the role, here select the email and familyName fields;
  2. Define the attributes mapped to this string value, which are $(user:email} and $(user:familyName};
  3. Save the current changes.
  4. Proceed to TrueWatch to configure role mapping.

4. Assign User and Group Access Permissions

Users and groups created in the Identity Center directory are only available in IAM Identity Center. Permissions can be assigned to them later. In this example, assume that no users or groups have been added to the current directory.

Step 1: Add User

  1. Go to the console > Users page;
  2. Click "Add User";
  3. Define the username, select the method for the user to receive the password, and enter the email, first name, last name, and display name;
  4. Proceed to the next step.

Note: The username, password, and email here are the necessary configurations for the user's single sign-on later.

Step 2: Add User to Group

  1. If there are no groups in the current directory, enter the creation entry on the right;
  2. Define the group name;
  3. Click the "Create" button in the lower right corner;
  4. Return to the add user page, select the group, and proceed to the next step;
  5. Confirm adding the user. A status message will notify you that the user has been successfully added.

Step 3: Assign Users and Groups to the Application

  1. Go to the application, select the configured program (here the example is gc configured above), and assign users and groups to it;
  2. Search and select all users and groups to assign permissions;
  3. After review, the assignment will be successfully created.

5. Create User SSO Identity Provider in TrueWatch

  1. Log in to the TrueWatch workspace > Management > Member Management > User SSO;
  2. Select SAML;
  3. Click Add Identity Provider to start configuration;
  4. Define the identity provider name as aws_sso;
  5. Upload the metadata document downloaded during application configuration [#config];
  6. Define access restriction email;
  7. Select roles and session duration;
  8. Click Confirm.

For more configuration details, refer to SSO Management.

6. Login Verification

  1. Log in to the TrueWatch single sign-on page: https://auth.truewatch.com/login/sso;
  2. Select the application created on the AWS side in the list;
  3. Login address;
  4. Enter the username, password;
  5. Log in successfully.