Skip to content


Follow the steps documented below to integrate access to your controller's web console with AWS SSO for Single Sign On (SSO).


Only users with "Organization Admin" privileges can configure SSO in the controller's web console.

Step 1: Create IdP

  • Login into the controller's web console as an Organization Admin
  • Click on System -> Identity Providers
  • Click on "New Identity Provider"
  • Provide a name, select "Custom" from the "IdP Type" drop down
  • Enter the "Domain" for which you would like to enable SSO


Within an org, the domain of an IdP cannot be used for another IdP. A domain existing in an org can be used in multiple orgs (for one IdP in each org)

  • Keep the toggle "Encrypted SAML Assertion" disabled as AWS SSO does not support encrypted SAML assertion
  • Provide a name for the "Group Attribute Name"
  • Optionally, toggle "Include Authentication Context" if you wish to send/receive auth context information in assertion
  • Click on Save & Continue

Create IdP

Step 2: View SP Details

The IdP configuration wizard will display critical information that you need to copy/paste into your AWS SSO Console. Provide the following information to your AWS SSO administrator.

  • Assertion Consumer Service (ACS) URL
  • SP Entity ID
  • Name ID Format
  • Group Attribute Name

View SP Details

Step 3: Create App in AWS SSO

  • Login into your AWS SSO Admin Portal as an Administrator
  • Select Applications > Add a new application
  • Select "Add a custom SAML 2.0 application" from the AWS SSO Application Catalog

Create App Integration

Step 4: Configure SAML Settings

In the "Configure Custom SAML 2.0 application" page, go to "Details" section and:

  • Provide an Display name for the controller's web console
  • Optionally add the description for the controller's web console

Configure SAML

In the "Application metadata", click the option "If you don't have a metadata file, you can manually type your metadata values"

  • Copy/Paste the ACS URL from Step 2 into the "Application ACS URL"
  • Copy/Paste the Entity ID from Step 2 to "Application SAML audience"
  • Then Save changes

Configure SAML

Go to the "Attribute mappings" tab of the application

  • For the "Subject" attribute, enter "${user:email}" for the user attribute and select the Format as emailAddress
  • Click on "Add new attribute mapping"
  • Enter the Group Attribute Statement Name from Step 2 for the group attribute
  • For the group attribute, enter the user attribute that you would want to send to the application and the group attribute for the application to use for role based access control. For e.x., static text "OrgAdmin" or "${user:groups}" to send group ID, or any other custom user attribute
  • Then Save changes

Configure SAML

Go to the "Assign users" tab of the application

  • Click on "Assign Users"

Configure SAML

  • On Users tab, select the users to allow access the Application
  • On Groups tab, select the groups to allow users in the groups to access the Application

Configure SAML

Step 5: Configure Groups

  • Identical named groups with the "group attribute" names need to be created on the controller. Ensure that these groups are mapped to the appropriate Projects with the correct privileges. In the example below, the Group "OrgAdmin" is configured as an "Organization Admin" with access to all Projects.

Assign Groups

  • It is important to emphasize that because of SSO via AWS, user lifecycle management can be completely offloaded to the IdP. In the example below, note that there are no users managed in the "OrgAdmin" group because they are all managed in the attached AWS tenant.

Users in Group

  • If there is no group attribute sent from the AWS SSO, the users will have see the "No Access" message when they try to SSO to the controller's web console via AWS SSO. As an "Organization Admin", you can manually add the controller's local group to the AWS SSO IdP users to manage their access

Step 6: Specify IdP Metadata

  • Go back to AWS SSO Admin Portal > Applications > the controller's web console application's configuration page.
  • Select "Configuration" tab
  • Click on the "Download" link of the "AWS SSO SAML metadata" to download the IdP metadata URL
  • Copy the "Metadata URL" from the Metadata > Metadata URL section

IdP Metadata

  • Navigate back to the controller's web console's IdP configuration wizard
  • Go to Metadata Configuration tab
  • Select "IdP Metadata File" radio button
  • Upload the downloaded AWS SSO IdP Metadata file from AWS SSO to the controller's web console
  • Complete IdP Registration

Create App Integration

  • Once this process is complete, you can view details about the IdP configuration on the Identity Provider page.
  • You can also edit and update the configuration if required.

Completed IdP