Skip to content

Example of Single Sign-On via AWS IAM Identity Center (SAML)

AWS IAM Identity Center (formerly AWS SSO) is a centralized identity management service provided by AWS, supporting single sign-on (SSO) to uniformly manage users' access permissions to multiple AWS accounts, cloud applications (such as Salesforce, GitHub), and hybrid cloud resources.

Note

The SAML 2.0 single sign-on feature of AWS IAM Identity Center is only available on the AWS International site.

1. Enable IAM Identity Center

In this example, we assume that the user account logging into the AWS platform has never used the IAM Identity Center service before, making this its first use.

  1. Log in to the AWS Console;
  2. In the search bar, enter IAM Identity Center;
  3. Click "Enable".

Note
  • When enabling IAM Identity Center, pay attention to the region selection in the top navigation bar of the console. Once the service is enabled, you cannot directly switch regions; you will need to re-enable it in the new region and reconfigure all settings;
  • If your organization already has an AWS primary management region (such as us-east-1 or ap-northeast-1), it is recommended to keep it consistent for unified management.

2. Create a Custom SAML 2.0 Application

On the application management page, select "Customer Managed," and click "Add application."

Why Choose 'Customer Managed' (Custom)
Option Use Case
AWS Managed Pre-integrated third-party SaaS applications (e.g., Salesforce, Slack, Zoom). AWS automatically provides metadata and configuration templates.
Customer Managed Third-party platforms requiring manual SAML configuration (non-AWS pre-integrated applications, such as the example object "TrueWatch platform" in this article), where you need to provide SAML metadata or ACS URL yourself.
  1. Select the application type as "I want to add an application";
  2. Continue by selecting SAML 2.0 and proceed to the next step.

Configure Application

  1. Define a display name for the application, such as guance;
  2. Enter a description as needed;
  3. Under "IAM Identity Center Metadata," click to download the IAM Identity Center SAML metadata file and certificate;
  4. For application metadata, select "Upload application SAML metadata file" and choose the metadata file downloaded from TrueWatch;
  5. Submit the current configuration;
  6. The page will prompt that the application was successfully added.

3. Edit Attribute Mapping

Attribute mapping is the core configuration of SAML integration, used to pass AWS user attributes to TrueWatch.

After returning to the application details page, click Actions > Edit attribute mappings in the upper right corner of the page to establish the mapping relationship between AWS user login identities and TrueWatch role identities.

  1. The system defaults to providing the field Subject (user unique identifier); map it to ${user:email};
  2. After completing the configuration, click Save changes.

Attach Role Attributes

  1. Define user or group attributes to be mapped to roles; here we choose the two fields email and familyName;
  2. Define the attributes mapped to these string values as $(user:email} and $(user:familyName}, respectively;
  3. Save the current modifications.
  4. Proceed to configure role mapping in TrueWatch.

4. Assign User and Group Access Permissions

Users and groups created in the Identity Center directory are only available within IAM Identity Center. Subsequently, you can assign them permissions. In this example, it is assumed that no users or groups have been added to the current directory yet.

Step 1: Add User

  1. Go to the console > Users page;
  2. Click "Add user";
  3. Define a username, choose how the user receives the password, and enter email, first name, last name, and display name;
  4. Proceed to the next step.

Note: The username, password, and email entered here are required configurations that the user will use for subsequent single sign-on logins.

Step 2: Add User to Group

  1. If there are no groups in the current directory, enter the creation entry on the right;
  2. Define the group name;
  3. Click the "Create" button at the bottom right;
  4. Return to the Add User page, select the group, and proceed to the next step;
  5. Confirm adding the user. A status message will inform you that the user was successfully added.

Step 3: Assign Users and Groups to the Application

  1. Go to Applications and select the configured application (in this case, the previously configured guance) to assign users and groups;
  2. Search and check all users and groups to which you want to assign permissions;
  3. After approval, the assignment will be successfully created.

5. Create User SSO Identity Provider in TrueWatch

  1. Log in to the TrueWatch workspace > Management > Member Management > User SSO;
  2. Select SAML;
  3. Click Add Identity Provider to start configuring;
  4. Define the identity provider name as aws_sso;
  5. Upload the metadata document downloaded during application configuration;
  6. Define the access-restricted email;
  7. Select roles and session duration;
  8. Click Confirm.

For more configuration details, refer to SSO Management.

6. Login Verification

  1. Log in to the TrueWatch single sign-on page: https://auth.truewatch.com/login/sso;
  2. Select the application created on the AWS side from the list;
  3. Visit the login address;
  4. Enter username, password;
  5. You will then successfully log in.