How to make use of G Suite being an external identity service provider for AWS SSO

Do you wish to control usage of your Amazon Web Providers (AWS) accounts with G Suite? In this article, we display you how to create G Suite being an external identity service provider in AWS Single Sign-On (SSO). We demonstrate how exactly to configure permissions for the users also, and how they are able to access different accounts.


G Suite can be used for common company functions such as email, calendar, and record sharing. If your company is making use of G and AWS Suite, you may use G Suite being an identity company (IdP) for AWS. It is possible to connect AWS SSO to G Suite, enabling your users to gain access to AWS accounts making use of their G Suite credentials.

It is possible to grant access by assigning G Suite users to accounts governed by AWS Organizations. The consumer’s effective permissions within an account are dependant on permission sets defined within AWS SSO. You’re allowed by them to define and grant permissions in line with the user’s job perform (such as for example administrator, data scientist, or even programmer). These should follow the least privilege principle, granting just permissions that are essential to perform the operating job. This way, it is possible to centrally manage user makes up about your workers in the Search engines Admin console and also have fine-grained control on the access permissions of person users to AWS assets.

In this article, we walk you through the procedure of establishing G Suite being an exterior IdP in AWS SSO.

How it functions

AWS SSO authenticates your G Suite customers through the use of Security Assertion Markup Language (SAML) 2.0 authentication. SAML can be an open regular for secure swap of authentication and authorization information between IdPs and providers without exposing customers’ credentials. By using AWS as a continuing company and G Suite being an external IdP, the login procedure is as follows:

  1. A consumer with a G Suite account opens the hyperlink to the AWS SSO user portal of one’s AWS Organizations.
  2. If an individual isn’t authenticated, they will be redirected to the G Suite account login. The user shall sign in utilizing their G Suite credentials.
  3. If the login is prosperous, a response is established and delivered to AWS SSO. It includes three various kinds of SAML assertions: authentication, authorization, and consumer attributes.
  4. When AWS SSO receives the reaction, the consumer’s usage of the AWS SSO consumer portal is determined. An effective login shows obtainable AWS accounts.
  5. The consumer selects the accounts to access and will be redirected to the AWS Management Console.

This authentication flow is shown in the next diagram.

Figure 1: AWS SSO authentication streamNumber 1: AWS SSO authentication flow

An individual journey starts at the AWS SSO user portal and ends with the usage of the AWS Administration Console. Your users encounter a unified usage of the AWS Cloud, and you also don’t need to manage user accounts within AWS Identity and Access Management (IAM) or AWS Directory Service.

User permissions within an AWS account are usually controlled by permission sets and groups within AWS SSO. A authorization set is a assortment of administrator-defined plans that determine a consumer’s effective permissions within an account. They are able to contain AWS managed policies or custom policies which are stored within AWS SSO, and so are created as IAM functions in confirmed AWS account ultimately. Your users assume these roles if they access confirmed AWS account and obtain their effective permissions. This obliges one to fine manage the usage of the accounts, following shared-responsibility model established within the cloud.

By using G Suite to authenticate and manage your customers, you have to develop a consumer entity in AWS SSO. An individual entity isn’t a user accounts, but a logical object. It maps a G Suite consumer via its major email address because the username to an individual accounts in AWS SSO. An individual entity in AWS SSO enables you to grant a G Suite consumer usage of AWS accounts and define its permissions in those accounts.

AWS SSO preliminary setup

The AWS SSO service has some prerequisites. You should first setup AWS Organizations with All features set to enabled, and register with the AWS Corporation&rsquo then;s master account credentials. Additionally you need extremely administrator privileges in G Suite and usage of the Google Admin console.

If you’re using AWS SSO within your account already, make reference to Considerations for Changing Your Identity Source prior to making changes.

To create an external identity supplier in AWS SSO

  1. Open up the service page in the AWS Administration Console. Choose Enable AWS SSO then.
    Figure 2: AWS SSO provider welcome pageShape 2: AWS SSO service welcome page
  2. After AWS SSO is definitely enabled, it is possible to connect an identity resource. On the overview web page of the ongoing program, select Choose your identity supply.

    Figure 3: Choose your identification sourceBody 3: Choose your identity source

  3. In the Settings, search for Identity source and choose Alter.

    Figure 4: Configurations

    Figure 4: Settings

  4. By default, AWS SSO utilizes its own directory because the identity provider. To utilize G Suite as your identification provider, you need to change to an external identity service provider. Select Exterior identity provider from the available identification sources.
    Body 5: AWS SSO identity company optionsDetermine 5: AWS SSO identity company options
  5. Choosing the External identity provider option reveals more information had a need to configure it. Choose Show individual metadata ideals showing the information you have to configure a customized SAML application.
    Figure 6: AWS SSO SAML metadataPhysique 6: AWS SSO SAML metadata

For another steps, you should switch to your Google Admin console and utilize the company metadata information to configure AWS SSO as a custom SAML application.

G Suite SAML application set up

Open your Google Admin system in a fresh browser tab, to enable you to copy the metadata details from the prior step easily. Now use the info to configure a custom SAML application.

To configure a custom made SAML software in G Suite

  1. Navigate to the SAML Applications area in the Admin gaming console and choose Include a provider/App to your domain.
    Figure 7: Put in a services or appFigure 7: Put in a service or app
  2. In the modal dialog that opens, select SETUP MY VERY OWN CUSTOM APP.

    Figure 8: Setup a customized appFigure 8: Create a custom app

  3. Go to Choice 2 and choose Download to download the Search engines IdP metadata. It downloads an XML file called GoogleIDPMetadata-your_domain.xml, that you shall use to configure G Suite because the IdP in AWS SSO. Choose Next.

    Figure 9: Download IdP metadata

    Number 9: Download IdP metadata

  4. Configure the real name and explanation of the application. Enter AWS SSO because the application title or work with a name that obviously identifies this program for the users. Choose Following to continue.

    Figure 10: Title and describe your application

    Figure 10: Title and describe your application

  5. Fill up in the Services Provider Details utilizing the metadata details from AWS SSO, after that choose Next to generate your custom app. The mapping for the metadata can be:
    • Enter the AWS SSO Register URL because the Start URL
    • Enter the AWS SSO ACS URL because the ACS URL
    • Enter the AWS SSO Concern URL because the Entity ID
    Figure 11: Add company detailsFigure 11: Add company details
  6. Next is really a confirmation screen with the reminder that some methods are experienced by you still to accomplish. Choose OK to continue.

    Figure 12: Reminder of leftover stepsShape 12: Reminder of staying steps

  7. The final ways enable the application form for your users. Choose the software from the checklist and choose EDIT SERVICE from the very best corner.

    Figure 13: Edit services

    Figure 13: Edit support

  8. Change the services status to ON for everyone and choose SAVE. In order to manage access for specific users you can certainly do this via organizational devices (for example, it is possible to enable the AWS SSO program for your engineering section). This doesn’t provide usage of any resources of one’s AWS accounts. Permissions are usually given in AWS SSO.

    Figure 14: Service upon for everybody

    Figure 14: Service about for everyone

You’re done configuring AWS SSO inside G Suite. Go back to the web browser tab with the AWS SSO construction.

AWS SSO construction

Right after creating the G Suite application, it is possible to finish SSO setup by uploading Search engines IdP metadata in the AWS Administration Console.

To add identity supplier metadata in AWS SSO

  1. When you configured the custom app inside G Suite, you downloaded the GoogleIDPMetadata-your_domain.xml document. Choose Search… in the configuration page and choose this file from your own download folder. Finish this task by choosing Following: Review.

    Figure 15: Upload IdP SAML metadata file

    Figure 15: Upload IdP SAML metadata file

  2. Type CONFIRM in the bottom of the set of changes and choose Change identity source to perform the setup.

    Figure 16: Confirm changes

    Figure 16: Confirm changes

  3. Next is really a message your change to the configuration is complete. At this true point, it is possible to choose Return to settings and check out user provisioning.

    Figure 17: Settings complete

    Figure 17: Settings complete

< h2>Manage Permissions and Users

AWS SSO supports automatic user provisioning via the machine for Cross-Identity Management (SCIM). However, this isn’t supported for G Suite custom SAML applications yet. To include a user to AWS SSO, you must manually add an individual. The username in AWS SSO should be the primary email address of this user, also it must follow the pattern username@gsuite_domain.com.

To put in a user to AWS SSO

  1. Select Users from the sidebar of the AWS SSO overview and choose Add user.

    Figure 18: Add user

    Figure 18: Add user

  2. Enter an individual details and use your user’s primary email because the username. Choose Next: Groups to include the user to an organization.

    Figure 19: Add user

    Figure 19: Add user

  3. We aren’t likely to create user groups in this walkthrough. Miss the Add user to groups step by choosing Add user. You’ll reach an individual list page displaying your newly created user and status enabled.

    Figure 20: User list

    Figure 20: User list

  4. The next step would be to assign an individual to a specific AWS account in your AWS Organization. This enables the user to gain access to the assigned account. Choose the account you intend to assign your user to and choose Assign users.

    Figure 21: Assign users

    Figure 21: Assign users

  5. Select an individual you added, then choose Next: Permission sets to keep configuring the effective permissions of an individual in the assigned account.

    Figure 22: Select user

    Figure 22: Select user

  6. Since you didn’t before configure a permission set, you now have to configure one. Choose Create new permission set.

    Figure 23: Create new permission set

    Figure 23: Create new permission set

  7. AWS SSO has managed permission sets which are like the AWS managed policies you know. Ensure that Use a preexisting job function policy is selected, then select PowerUserAccess from the set of existing job function policies and choose Create.

    Figure 24: Create permission set

    Figure 24: Create permission set

  8. You can now choose the created permission set from the set of available sets for an individual. Choose the PowerUserAccess permission set and choose Finish to assign an individual to the account.

    Figure 25: Select permission set

    Figure 25: Select permission set

  9. You visit a message that the assignment has prevailed.

    Figure 26: Assignment complete

    Figure 26: Assignment complete

Access an AWS Account with G Suite

You’ll find your user portal URL in the AWS SSO settings, as shown in the next screenshot. Unauthenticated users who utilize the link will undoubtedly be redirected to the Google account login page and use their G Suite credentials to sign in.

Figure 27: An individual portal URL

Figure 27: An individual portal URL

After authenticating, users are redirected to an individual portal. They can pick from the set of assigned accounts, as shown in the next example, and access the AWS Management Console of the accounts.

Figure 28: Select an assigned account

Figure 28: Select an assigned account

You’ve successfully setup G Suite being an external identity provider for AWS SSO. Your users can access your AWS accounts utilizing the credentials they already use.

Another way your users may use AWS SSO is by selecting it from their Google Apps to be redirected to an individual portal, as shown in the next screenshot. That is among the fastest ways for users to gain access to accounts.

Figure 29: Apps in an individual portal

Figure 29: Apps in an individual portal

Using AWS CLI with SSO

You should use the AWS Command Line Interface (CLI) to gain access to AWS resources. AWS CLI version 2 supports access via AWS SSO. It is possible to automatically or manually configure a profile for the CLI to gain access to resources in your AWS accounts. To authenticate your user, an individual is opened because of it portal in your default browser. If you aren’t authenticated, you’re redirected to the G Suite login page. Following a successful login, it is possible to select you be accounted by the AWS desire to access from the terminal.

To upgrade to AWS CLI version 2, follow the instructions in the AWS CLI user guide.


You’ve create G Suite being an external IdP for AWS SSO, granted usage of an AWS take into account a G Suite user, and enforced fine-grained permission controls because of this user. This enables your organization to have quick access to the AWS Cloud.

When you have feedback concerning this post, submit comments in the Comments section below. When you have questions concerning this post, take up a new thread on the AWS Single Sign-on forum or contact AWS Support.

Want more AWS Security how-to content, news, and show announcements? Follow us on Twitter.


Yegor Tokmakov

Yegor is really a solutions architect at AWS, dealing with startups. Previously, he was Chief Technology Officer at a healthcare startup in Berlin and was in charge of operations and architecture, in addition to product development and growth of the tech team. Yegor is passionate about novel AI data and applications analytics. In his leisure time, he enjoys traveling, surfing, and cycling.

Sebastian Doell

Sebastian is really a solutions architect at AWS. He helps startups to execute on the ideas at speed and at scale. Sebastian maintains a genuine amount of open source projects and can be an advocate of Dart and Flutter.

%d bloggers like this: