How can I design and implement SSO?

87    Asked by ConnorPeake in AWS , Asked on Apr 12, 2024

 I am currently working as a cloud architect for a large organization that heavily relies on various AWS services. The company wants to execute AWS single sign-on (SSO) to simplify user access management across all the multiple AWS accounts. How can I design and implement it? 

Answered by debbie Jha

In the context of AWS, here is how you can design and even implement an [censored] single sign-on solution for your particular company:-

Designing consideration

You should try to identify the AWS accounts and even applications that users need to access.

Now you can plan the integration with the existing identified providers if applicable.

Try to decide on AWS SSO regions to be used for centralized user management.


Set up AWS SSO in the AWS management console

Firstly, you would need to set AWS SSO in the management console. For this, you can navigate to the AWS SSO console and then choose “enable AWS SSO”.

Configuration of Identity sources

If you are using AWS directory services then you can set up AWS-managed Microsoft AD or connect to an existing Microsoft Ad.

If you are using external IDP then you can configure the trust relationship and user attribute mapping.

Assigned users to groups

Now try to create the user groups in AWS SSO and then try to assign the users to these groups based on their roles and permission requirements.

Implement SAML Integration for application

Now try to obtain the metadata from AWS SSO and try to provide it to the application's SAML Configuration setting.

Configuration of the AWS CLI and SDK Access

You can use the AWS SSO for assigning the AWS CLI and SDK Access for users and groups.

Here is an example given below to demonstrate AWS CLI authentication with AWS SSO:-

Import subprocess

Import json

Def configure_aws_sso(sso_start_url, region, sso_profile):    # Run aws sso login to initiate the login process[‘aws’, ‘sso’, ‘login’, ‘—profile’, sso_profile, ‘—sso-start-url’, sso_start_url])
    # Get SSO credentials using the AWS CLI and capture the JSON output
    Result =[‘aws’, ‘sso’, ‘get-role-credentials’, ‘—profile’, sso_profile, ‘—output’, ‘json’], capture_output=True)
    Sso_credentials = json.loads(result.stdout)
    # Extract the SSO credentials
    Sso_access_key_id = sso_credentials[‘roleCredentials’][‘accessKeyId’]
    Sso_secret_access_key = sso_credentials[‘roleCredentials’][‘secretAccessKey’]
    Sso_session_token = sso_credentials[‘roleCredentials’][‘sessionToken’]
    # Configure the AWS CLI with the obtained SSO credentials[‘aws’, ‘configure’, ‘set’, ‘aws_access_key_id’, sso_access_key_id])[‘aws’, ‘configure’, ‘set’, ‘aws_secret_access_key’, sso_secret_access_key])[‘aws’, ‘configure’, ‘set’, ‘aws_session_token’, sso_session_token])[‘aws’, ‘configure’, ‘set’, ‘region’, region])
# Example usage
Sso_start_url = ‘’
Region = ‘us-east-1’
Sso_profile = ‘my-sso-profile’
Configure_aws_sso(sso_start_url, region, sso_profile)

Your Answer


Parent Categories