Skip to main content

Amazon Web Services (AWS) (IdP-initiated) integration guide

Use this guide to enable Multi-Factor Authentication and Single Sign-on (SSO) access via SAML to AWS.

Three configuration steps are involved in the integration process:

  1. Create a SecureAuth IdP realm to integrate with AWS via SAML, and generate the SAML metadata file used by AWS to validate assertions from SecureAuth IdP (IdP configuration, part 1).

  2. Configure AWS to use SecureAuth IdP as a SAML Identity Provider, and create a Role that can access the AWS account via SSO (AWS configuration).

  3. Input values from the AWS Role into the SecureAuth IdP realm to configure the SAML provider (IdP configuration, part 2).


  • SecureAuth IdP release 9.1-9.3

  • An AWS account

  • A new realm with the following tabs configured:

    • Overview – the description of the realm and SMTP connections must be defined

    • Data – a data store must be integrated with the IdP

    • Workflow – the way in which users will access this application must be defined

    • Multi-Factor Methods – the SSO Authentication method that will be used to access this page must be defined

IdP configuration, part 1


Click Save once the configurations have been completed and before leaving the Post Authentication page to avoid losing changes.

  1. Navigate to the Post Authentication tab for the realm to integrate with AWS SAML.

  2. In the Post Authentication section, select SAML 2.0 (IdP Initiated) Assertion for Authenticated User Redirect.

    The Redirect To field will auto-populate an unalterable URL that appends to the domain name and realm number in the address bar (Authorized/SAML20IdPInit.aspx).

  3. In the User ID Mapping section, set the following:

    User ID Mapping

    Select Authenticated User ID.

    Name ID Format

    Select urn:oasis:names:tc:SAML:2.0:nameid-formatpersistent.

    Encode to Base64

    Select False.

  4. In the SAML Assertion / WS Federation section, set the following:

    SAML Consumer URL

    Set to

    WSFed / SAML Issuer

    Set to a Unique Name that will be shared with AWS to identify the IdP as the SAML issuer.


    The WSFed/SAML Issuer must match exactly on the SecureAuth IdP side and the AWS side.

    SAML Recipient

    Set to

    SAML Audience

    Set to

    Sign SAML Assertion

    Select True.

    Signing Cert Serial Number

    Leave as the default value unless using a third-party certificate for the SAML assertion.

    If using a third-party certificate, click Select Certificate and choose the appropriate certificate.


    Provide the Domain Name (Public Server Address).

    Click Download to save a copy of the realm's Metadata File.


    Record the download location of MetaData.xml as this file is used in the AWS configuration steps.

  5. Click Save.

  6. Continue to AWS configuration.

AWS configuration


There will be more IdP configurations after you complete the AWS configuration.

Create SAML provider

  1. Log into the AWS Management Console.

  2. In the Security & Identity section, click Identity & Access Management.

  3. Select Identity Providers in the left pane.

  4. Click Create Provider.

  5. In the Step 1: Configure Provider section, set the following:

    Provider Type

    Select SAML.

    Provider Name

    Set the Provider Name. You cannot change this name once you create the Identity Provider profile in AWS.

    Metadata Document*

    Click Choose File and select the MetaData.xml file downloaded from the IdP.

  6. Click Next Step.

  7. In the Step 2: Verify section, review the configured settings.

  8. Click Create.


    Details about the SAML Identity Provider appear after the provider is successfully created.


Create Role

This integration requires you to create a role. You can create any role (for example, admin or user role) based on AWS preferences. But, you must apply the created role to all end users accessing the AWS application through the IdP.

As a best practice, create a separate AWS application in the IdP for each distinct AWS role. For example, in the IdP, create two AWS applications, one for Admins (realm 1), and one for Users (realm 2).

If you use only one role (for example, Admins), the you only need to create one AWS application in the IdP.

For more than one role and AWS application, it requires you to complete both Part 1 and Part 2 of the IdP configurations. However, in Part 2, it it would include different ARN Values (Amazon Resource Names) that uniquely identify AWS permissions for that role.

See Creating a Role for SAML 2.0 Federation (AWS Management Console) for more information.

To create and configure a role:
  1. Select Roles in the left pane.

  2. Click Create New Role.

  3. In the Step 1: Set Role Name section, set the Role Name. For example, Admin.

  4. Click Next Step.

  5. In the Step 2: Select Role Type section, set the following:

    Select Role Type

    Select Role for Identity Provider Access.

    Grant Web Single Sign-on (Web SSO) access to SAML providers

    Click Select.

  6. Click Next Step.

  7. In the Step 3: Establish Trust section, set the SAML Provider to the SAML Provider created earlier in the Create SAML Provider section.

  8. Click Next Step.

  9. Verify the Role's trust relationship.

  10. Click Next Step.

  11. In the Step 3: Attach Policy section, select one or more policies to attach to the Role.

  12. Click Next Step.

  13. Review information assigned to the Role and make any necessary edits.



    The Role ARN and Trusted Entities SAML Provider ARN appear in the Review page. These two ARN values are stored on the Active Directory server, or as a Global Auxiliary ID, separated by a comma. For example:


    You can view this information at any time on the Trust Relationships tab in the Roles Summary page for the configured entity.

  14. Click Create Role.

  15. Return to the IdP to complete integration.

IdP configuration, part 2

  1. In the Classic Experience, navigate to the Data tab for the realm integrated with AWS SAML.


    Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes.

  2. In the Global Aux Fields section, set the following:

    Global Aux ID 1

    Set to the Role ARN and Trusted Entities SAML Provider ARN values provided by AWS.


    This is the suggested configuration rather than storing the values in the enterprise directory. If storing the values in the directory, then the attribute used to contain the values (for example, description, postalAddress, etc.) must be mapped to a SecureAuth IdP Profile Property (for example, Aux ID 1).

  3. Click Save.

  4. Navigate to the Post Authentication tab.


    Click Save once the configurations have been completed and before leaving the Post Authentication page to avoid losing changes.

  5. In the SAML Attributes / WS Federation section, set the following for Attribute 1:


    Set to


    Select Global Aux ID 1.

    If storing the ARN values in the directory instead of employing the Global Aux ID, then select the SecureAuth IdP Profile Property mapped to the attribute containing the ARN values.

  6. For Attribute 2, set the following:


    Set to


    Select Authenticated User ID.

    This value appears in the upper right area of the AWS Management Console once the user is logged in.

  7. Click Save


If you need help with this integration, please contact SecureAuth Support.