Authentication & Authorization

The users in an organization can access their AWS accounts via the Management Console, CLI, or API. While dealing with multiple accounts, managing access to these accounts could get challenging very quickly. Customers often configure Single Sign On(SSO) to simplify, allowing access to multiple account/role(s).

AWS Control Tower configures AWS Single Sign-On (AWS SSO), making it easy to manage SSO access to multiple AWS accounts and cloud applications centrally.

You can use AWS Single Sign-On (AWS SSO) to authenticate identities from external identity providers (IdPs) through the Security Assertion Markup Language (SAML) 2.0 standard. This enables your users to sign in to the AWS SSO user portal with their corporate credentials. They can then navigate to their assigned accounts, roles, and applications hosted in external identity providers.

AWS SSO started supporting external IdPs towards the end of 2019. Customers who deployed their multi-account environment before external IdP support could be using an alternative IAM federation approach to integrate with their corporate credentials.

In this section, we will cover both the scenarios:

1. AWS Single Sign On

Azure AD - with SAML based authentication and SCIM based user/group automated provisioning

Okta - with SAML based authentication and SCIM based user/group automated provisioning

OneLogin - with SAML based authentication

AD Connector

2. Identity Access Management (IAM) federation

Azure AD - with SAML based authentication

Okta with SAML based authentication

OneLogin - with SAML based authentication