Try WSO2 Cloud for Free
Sign in

All docs This doc
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 13 Next »

Amazon web services (AWS) supports single sign-on (SSO) that is initiated by the identity provider. AWS can be integrated with the WSO2 Identity Cloud as indicated in this topic to provide SSO for users of this application. 

In this tutorial you will learn how to configure single sign-on for your AWS application.

  1. Log in to the Identity Cloud. 
  2. Click Download IDP metadata to download metadata xml.  
  3. Go to and sign in to the AWS management console using valid AWS account.
  4. In the AWS services page, under security, identity & compliance, click IAM.
  5. In the left navigation panel, click Identity providers. 
  6. Create an identity provider by selecting the provider type as SAML, entering a provider name and uploading IDP metadata xml file.
  7. Now, you need to configure a role for SSO. In the left navigation panel, click Roles.
  8. Enter a unique role name and click Next Step at the bottom of the page.
  9. In select role type page, select Role for Identity Provider Access and select Grant Web Single Sign-on (WebSSO) access to SAML providers.
  10. In establishing trust page, select the provider that you're creating the role for (i.e. wso2_identity_cloud) and click Next Step.
  11. In Verify Role Trust page, click Next Step at the bottom of the page.
  12. In Attach Policy page, select AdministratorAccess policy and click Next Step.
  13. Review role details and Create Role at the bottom of the page.

    Once you created the role, you must complete the SAML trust by configuring Identity Cloud with information about AWS and the role(s) that you want your federated users to use. This is referred to as configuring relying party trust between Identity Cloud and AWS. 
  14. Next step is to configure an on-premise user store for AWS. Since AWS needs a special claim to help them decide the permissions of the signing in user, the following changes should be done ON_PREMISE_AGENT_HOME/conf/claim-config.xml. 





  • No labels