Search
Clear search
Close search
Google apps
Main menu

Amazon Web Services cloud application

You must be signed in as a super administrator for this task.

Using Security Assertion Markup Language (SAML), your users can use their Google Cloud credentials to sign in to enterprise-cloud applications.

Set up SSO via SAML for Amazon Web Services

Here's how to set up Single Sign-On (SSO) via SAML for the Amazon Web Services® application.

Step 1: Set up Amazon Web Services as a SAML 2.0 service provider (SP)
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Security and then Set up single sign-on (SSO).

    To see Security, you might have to click More controls at the bottom. 

  3. Click the Download button to download the Google IdP metadata and the X.509 Certificate.
  4. In a new browser tab, log in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  5. In the navigation pane, select identity providers and then click Create SAML Provider.
  6. Select SAML as the Provider Type, and give it a name such as GoogleApps.
  7. Upload the IDP metadata you saved earlier from the Google Admin console SAML settings.
  8. Click Next Step and on the following page, click Create.
  9. Click the Roles tab on the left sidebar and click Create a New Role to create a role which will define the permissions.
  10. Select Set role name. This name will be displayed next to the login name on the AWS console.
  11. Select Role for Identity Provider Access.
  12. Select Grant Web Single Sign-On (WebSSO) access to SAML providers. Click Next Step.
  13. Leave the Establish trust settings as they are. Click Next Step.
  14. Use the Attach policy settings to define the policies your Federated Users will have. Click Next Step.
  15. On the following page, review your settings, then click Create the Role.
  16. Select your Google service from the identity providers list and note the Provider ARN. This contains your AWS Account ID and the name of the provider (example: arn:aws:iam::ACCOUNT_NUMBER:saml-provider/GoogleApps). 
  17. Click Save to save the Federated Web single sign-on configuration details.
Step 2: Set up Google as a SAML identity provider (IdP)
  1. In a new browser tab, 
    Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Security and then Set up single sign-on (SSO).

    To see Security, you might have to click More controls at the bottom. 

  3. Select the Add a service/App to your domain link or click the plus (+) icon in the bottom corner.
  4. Select the Amazon Web Services item from the list. The values on the Google IDP Information page automatically populate.
  5. There are two ways to collect the service provider Setup information:

    You can copy the Entity ID and the Single Sign-On URL field values and download the X.509 Certificate, paste them into the appropriate service provider Setup fields, and then click Next
    or
    You can download the IDP metadata, upload it into the appropriate service provider Setup fields, and then come back to the Admin console and click Next.
     
  6. In the Basic application information window, the Application name and Description values automatically populate. You can edit them.
  7. (Optional) Click Choose file next to the Upload Logo field to upload a PNG or GIF file to serve as an icon. The file size should be 256 pixels square.
  8. Click Next.
Step 3: Enter the Amazon Web Services specific service provider details in Google Admin console
  1. In the Service Provider Details section, enter the following into the Entity ID, ACS URL, and Start URL fields:
            ACS URL: https://signin.aws.amazon.com/saml
            Entity ID: https://signin.aws.amazon.com/saml
            Start URL: <Empty>
  2. Leave Signed Response unchecked.
    When the Signed Response checkbox is unchecked, only the assertion is signed. When the Signed Response checkbox is checked, the entire response is signed.
  3. The default Name ID is the primary email. Multi-value input is not supported. You can change the Name ID mapping as per your requirement. Custom attributes of the user schema can also be used after creating them via Google Admin SDK APIs. The custom attributes for the user schema need to be created prior to setting up the Amazon Web Services SAML application. 
  4. Click Next.
  5. Click Add new mapping and map the attribute value "https://aws.amazon.com/SAML/Attributes/RoleSessionNameto Basic Information > Primary Email and the attribute value "https://aws.amazon.com/SAML/Attributes/Roleto a custom attribute corresponding to the Amazon Web Services account.
  6. In the drop-down list, first select the Category and then choose a User attribute to map the attribute from the Google profile.
  7. Click Finish.
Step 4: Enable the Amazon Web Services app
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Security and then Set up single sign-on (SSO).

    To see Security, you might have to click More controls at the bottom. 

  3. Select Amazon Web Services.
  4. At the top of the gray box, click More Settingsand choose:
    • On for everyone to turn on the service for all users (click again to confirm).
    • Off to turn off the service for all users (click again to confirm).
    • On for some organizations to change the setting only for some users.
  5. Ensure that your Amazon Web Services user account email IDs match with those in your G Suite domain.
Step 5: Verify that SSO is working between G Suite and Amazon Web Services (G Suite only)

Note: Make sure you're still signed in to the account where you configured Amazon Web Services.

  1. Open a G Suite core service, such as Google Calendar, Drive, or Gmail. 
  2. At the top right, click the App Launcher App Launcher.
  3. Scroll to the apps section and click Amazon Web Services.
  4. If you are signed in to more than one account, select the account where Amazon Web Services is configured.
  5. If you configured more than one role, select a role from the list.
  6. Click Sign In.

You are signed in to Amazon Web Services.

Step 6: Set up user provisioning

You don't need to set up user provisioning for Amazon Web Services.

AWS supports role based logins to all SAML 2.0 IdP (Identity Provider) authenticated federated users. Specify the role by mapping the attribute value https://aws.amazon.com/SAML/Attributes/Role to a custom attribute corresponding to the Amazon Web Services account. See Step 3 above.

After you create this role mapping, your SAML SSO enabled users can sign in to the AWS Management Console, to a specified AWS Identity and Access Management (IAM) role, without you having to create corresponding IAM users in the Management Console.

Refer to AWS documentation for more details on AWS role mapping.

Was this article helpful?
How can we improve it?
Sign in to your account

Get account-specific help by signing in with your G Suite account email address, or learn how to get started with G Suite.