Clear search
Close search
Google apps
Main menu

Amazon Web Services cloud application

You must be signed in as a super administrator for this task.

Using Security Assertion Markup Language (SAML), your users can use their Google Cloud credentials to sign in to enterprise-cloud applications.

As administrator, you have to configure a few things to make it work, including:

  1. Set up the selected application as a SAML service provider (SP).
  2. Set up G Suite as a SAML identity provider (IdP).
  3. Enter application-specific service provider details in Google Admin console.
  4. Turn on single sign-on (SSO) for the application.
  5. Verify that the SSO is working.

Here's how to set up Single Sign-On (SSO) via SAML for the Amazon Web Services® application.

Set up Amazon Web Services as a SAML 2.0 service provider (SP)
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in

  2. From the Admin console dashboard, go to Security and then Set up single sign-on (SSO).

    To see Security, you might have to click More controls at the bottom. 

  3. Click the Download button to download the Google IdP metadata and the X.509 Certificate.
  4. In a new browser tab, log in to the AWS Management Console and open the IAM console at
  5. In the navigation pane, select identity providers and then click Create SAML Provider.
  6. Select SAML as the Provider Type, and give it a name such as GoogleApps.
  7. Upload the IDP metadata you saved earlier from the Google Admin console SAML settings.
  8. Click Next Step and on the following page, click Create.
  9. Click the Roles tab on the left sidebar and click Create a New Role to create a role which will define the permissions.
  10. Select Set role name. This name will be displayed next to the login name on the AWS console.
  11. Select Role for Identity Provider Access.
  12. Select Grant Web Single Sign-On (WebSSO) access to SAML providers. Click Next Step.
  13. Leave the Establish trust settings as they are. Click Next Step.
  14. Use the Attach policy settings to define the policies your Federated Users will have. Click Next Step.
  15. On the following page, review your settings, then click Create the Role.
  16. Select G Suite from the identity providers list and note the Provider ARN. This contains your AWS Account ID and the name of the provider (example: arn:aws:iam::ACCOUNT_NUMBER:saml-provider/GoogleApps). 
  17. Click Save to save the Federated Web single sign-on configuration details.
Choose the pre configured Amazon Web Services cloud application to set up G Suite as a SAML identity provider (IdP)
  1. In a new browser tab, sign in to your Admin console as a super administrator.
  2. Click Apps SAML apps.
  3. Select the Add a service/App to your domain link or click the plus (+) icon in the bottom corner.
  4. Select the Amazon Web Services item from the list. The values on the Google IDP Information page automatically populate.
  5. There are two ways to collect the service provider Setup information:

    You can copy the Entity ID and the Single Sign-On URL field values and download the X.509 Certificate, paste them into the appropriate service provider Setup fields, and then click Next
    You can download the IDP metadata, upload it into the appropriate service provider Setup fields, and then come back to the Admin console and click Next.
  6. In the Basic application information window, the Application name and Description values automatically populate. You can edit them.
  7. (Optional) Click Choose file next to the Upload Logo field to upload a PNG or GIF file to serve as an icon. The file size should be 256 pixels square.
  8. Click Next.
Enter the Amazon Web Services specific service provider details in Google Admin console
  1. In the Service Provider Details section, enter the following into the Entity ID, ACS URL, and Start URL fields:
            ACS URL:
            Entity ID:
            Start URL: <Empty>
  2. Leave Signed Response unchecked.
    When the Signed Response checkbox is unchecked, only the assertion is signed. When the Signed Response checkbox is checked, the entire response is signed.
  3. The default Name ID is the primary email. Multi-value input is not supported. You can change the Name ID mapping as per your requirement. Custom attributes of the User Schema can also be used after creating them via Google Admin SDK APIs. The custom attributes for the User Schema need to be created prior to setting up the Amazon Web Services SAML App. 
  4. Click Next.
  5. Click Add new mapping and map the attribute value " Basic Information > Primary Email and the attribute value " a custom attribute corresponding to the Amazon Web Services account.
  6. In the drop-down list, first select the Category and then choose a User attribute to map the attribute from the G Suite profile.
  7. Click Finish.
Turn on SSO for the Amazon Web Services app
  1. Sign in to your Admin console.
  2. Go to Apps SAML apps.
  3. Select Amazon Web Services.
  4. At the top of the gray box, click More Settingsand choose:
    • On for everyone to turn on the service for all users (click again to confirm).
    • Off to turn off the service for all users (click again to confirm).
    • On for some organizations to change the setting only for some users.
  5. Ensure that your Amazon Web Services user account email IDs match with those in your G Suite domain.
Verify that the SSO is working between G Suite and Amazon Web Services
  1. Open You should be automatically redirected to the G Suite sign-in page.
  2. Enter your sign-in credentials.
  3. After your sign-in credentials are authenticated you are automatically redirected back to Amazon Web Services.
Was this article helpful?
How can we improve it?
Sign in to your account

Get account-specific help by signing in with your G Suite account email address, or learn how to get started with G Suite.