Setting Up Single Sign-On Between AWS SSO and a Sample SAML Service Provider

Single Sign-On (SSO) is a crucial component of modern identity and access management, simplifying the user authentication process and enhancing security. In this hands-on guide, we’ll walk you through the process of setting up SSO between AWS SSO and a sample SAML (Security Assertion Markup Language) service provider. By following these steps, you’ll be able to establish a seamless authentication flow for your users.


  • AWS account with administrative access
  • Basic familiarity with AWS services
  • Google Chrome or Mozilla Firefox browser (for SAML Tracer plugin)

Section 1: Enabling AWS SSO

  1. Log in to your AWS Management Console.
  2. Navigate to AWS Single Sign-On (SSO).
  3. If you haven’t already enabled AWS SSO, it will prompt you to enable the service. Follow the on-screen instructions to enable it.

Section 2: Create a Test User

  1. After enabling AWS SSO, select your identity source. For this guide, we’ll use the internal AWS SSO database, so no changes are required.
  2. Let’s add a test user. Enter the user details: Name it “test user one,” and use “” for the email address. Fill in the first name as “test” and the last name as “user.” You can leave the display name as “test user.”
  3. You don’t need to create any groups at this point. Click “Add user.”
  4. Note the temporary password provided. This password will be used for the initial login.
  5. Access the user portal URL provided.

Section 3: Test User Login

  1. On the login page, enter the username as “test user one” and the temporary password.
  2. After entering the temporary password, you will be prompted to set a new password.
  3. You can choose to save the new password if desired.
  4. You will be logged in to the AWS SSO dashboard, which may be empty at this stage as no applications are configured.

Section 4: Configure a Test SAML Application

  1. Return to the AWS SSO console.
  2. In the “Applications” tab, you’ll notice that there are no applications configured.
  3. Let’s configure a test SAML application. For this guide, we’ll use the RSA sample application for testing.
  4. Search for “RSA SAML test” on Google to find the RSA SAML 2.0 test service provider.
  5. Follow the instructions provided on the RSA website for configuring an IDP-initiated SSO SAML setup.
  6. Obtain the metadata information, including the entity ID and assertion consumer service URL from the RSA instructions.

Section 5: Add the SAML Application to AWS SSO

  1. Return to the AWS SSO console.
  2. Click “Add a new application” and select “Custom SAML application.”
  3. Name the application (e.g., “rc test sample”).
  4. In the “Application metadata” section, manually enter the ACS URL and entity ID obtained from the RSA metadata.
  5. Save the changes.

Section 6: Attribute Mapping

  1. In the same application configuration, proceed to the “Attribute mapping” section.
  2. Configure attribute mappings based on your requirements. At a minimum, map the “user subject” attribute.
  3. Click “Save changes.”

Section 7: Assign Users

  1. Assign the test user created earlier to this new application.

Section 8: Test SAML Authentication

  1. Access the user portal URL again and log in using the test user’s credentials.
  2. After successful login, you will see the test application.

Section 9: Monitor SAML with SAML Tracer (Firefox)

  1. Install the “SAML Tracer” plugin for Mozilla Firefox.
  2. Use the plugin to monitor the SAML assertions and attributes exchanged during the authentication process.

Section 10: Add Additional Attributes

  1. To enhance the attribute mapping, you can add additional attributes like “given name,” “last name,” and “email address” following the same attribute mapping process.

Conclusion: Congratulations! You’ve successfully set up Single Sign-On (SSO) between AWS SSO and a sample SAML service provider. This integration streamlines user authentication and enhances security. You can now extend this setup by adding more applications and fine-tuning attribute mappings to suit your organization’s needs. Please subscribe to our channel for more SSO and OpenID Connect-related content, and feel free to leave any questions or comments for us to address

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top