AWS Single Sign-On (AWS SSO) is a service from Amazon Web Services that enables IT to manage user access to multiple applications and AWS accounts from a single, centralized console.
The single sign-on service also benefits an end user, as it enables him or her to sign into the AWS SSO portal with pre-existing credentials -- including those from Microsoft Active Directory (AD) -- to centrally access cloud resources and applications.
How to use AWS SSO
Access to the AWS SSO service is available via the AWS Management Console.
After an IT administrator accesses the service, he or she can integrate end users' identities and credentials from Microsoft AD. Then, the administrator can add permissions to AD groups to grant users access to multiple applications and AWS Organizations accounts. IT can also assign customized permission sets to various resources and AWS accounts based on a user's job function.
A user can access the AWS SSO console with his or her AD credentials and receive permission to use resources. Like other single sign-on services, AWS SSO eliminates the need for a user to memorize multiple user names and passwords to access different services and applications.
AWS SSO integration with custom apps, CloudTrail
In addition to built-in support for business applications, such as Office 365 and ServiceNow, AWS SSO can support single sign-on capabilities for an organization's custom applications, if those applications use Security Assertion Markup Language (SAML) 2.0. In the AWS SSO portal, an IT administrator can create and edit SAML 2.0 integrations to enable single sign-on capabilities.
IT can also track all AWS SSO activity, including sign-on attempts and directory changes, through integration with AWS CloudTrail.