Try WSO2 Cloud for Free
Sign in

All docs This doc

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. Go to and click Sign in to the Console.

  2. Sign in to AWS Console using a valid AWS account.
  3. In the AWS Services page, under Security, Identity & Compliance, click IAM.
  4. In the left navigation panel, click Identity providers.
  5. Click Create Provider.
  6. Create an identity provider by selecting the provider type as SAML, entering a Provider Name, uploading IDP metadata xml file, and clicking Next Step.
  7. Verify the Provider information and click Create.

    Once the Identity Provider is created, you see the following screen with the message that the SAML provider is created and the created provider is listed with Type of protocol and Creation Time
  8. Now, you need to configure a role for SSO. In the left navigation panel, click Roles.
  9. Click Create new role
  10. In Select role type screen, select Role for identity provider access option and select Grant Web Single Sign-On (WebSSO) access to SAML providers by clicking Select button. 
  11. In Establish Trust page, select the SAML provider that you have creating the role for (i.e. wso2_identity_cloud) and click Next Step.
  12. In Verify Role Trust page, verify the Policy Document, and Next Step.
  13. In Attach Policy page, select AdministratorAccess policy and click Next Step.
  14. In Set role name and review page, provide a valid role name and click Create Role.

    Once the role is created, you can see it is listed with it's name, description and creation time.
  15. The next step is to configure an on-premise user store for AWS. Since AWS needs a special claim to help them decide the permissions of the signing in user, the following changes should be done in the <ON_PREMISE_AGENT_HOMEHOME>/conf/claim-config.xml fileThis file is created when you download the agent. 
    Code Block

titleAWS LDAP Settings

It is required at the AWS end to have an LDAP attribute set for the users.

The value of the attribute should be <AWS_SSO_ROLE_ARN>,<AWS_SSO_IDP_ARN>

e.g. arn:aws:iam::126899752430:role/doc_role,arn:aws:iam::126899752430:saml-provider/wso2_identity_cloud


Configuring WSO2 Identity Cloud for SSO with AWS

  1. Log into in to WSO2 Identity Cloud.
  2. Click the menu icon on the top, left corner of the screen.

  3.  Click Applications from the Admin Portal to navigate to the Application list.
  4. Click ADD APPLICATION to add a AWS application.
  5. Select AWS icon. 
  6. Provide an application name and click Add.
  7. In Store Configuration, provide a Display name, and click Save.

    The added AWS app is displayed in Identity Cloud/Applications page.
  8. Once the application is added, it is listed in User Portal. Click Go to User Portal at the top right corner of the page. 
  9. Click the added AWS App.

    Now you can access the AWS home page without having to sign in because you configured SSO between AWS and WSO2 Identity Cloud.