Skip to main content

AWS Single Sign-On

This article explains the process to connect AWS SSO Identity Center and SSO applications in your AWS account to Authress. This allows your engineers to log into Authress using your AWS account.

The SSO Application configuration is located in AWS IAM Identity Center.

Create the Authress App in the AWS Application Portalโ€‹

AWS supports the SAML flow, so navigate to the Portal and a new application. Review the SAML metadata fields and download the IAM Identity Center Certificate:

Authress SAML configuration

Configure the Authress Service Providerโ€‹

Open the Authress management portal to the Single Sign-On options and select SAML connection as the User Management Provider. We'll then fill out of the fields that can be found in the AWS application portal:

  • In the SSO Url property enter the IAM Identity Center sign-in URL from AWS.
  • In the Entity ID property enter the IAM Identity Center SAML issuer URL from AWS.
  • Then open the downloaded certificate and paste the contents into the field in Authress.

Authress SAML configuration

Easy loginโ€‹

To allow automated login through AWS, you'll want to choose an Authress account SSO domain. This domain is part of the SAML Start URL configuration in AWS and makes it easy to directly log in. This field can be anything not already chosen by another account, but we recommend your corporate domain:

Authress SAML configuration

Configure the AWS applicationโ€‹

Next complete the Authress setup by copying the three Authress SAML values back to AWS. It is important that these three values exactly match the ones found in the Authress Management Portal:

AWS SSO application configuration

Complete the AWS application configurationโ€‹

There is one more step that is required for the application configuration. Edit the application attributes:

AWS SSO application attributes

And set the empty mapping for Subject to have the value ${user:email}

AWS SSO application attributes for subject

Finishing upโ€‹

In Authress there is one more step, and that is to select your SSO quick domain. This domain should be your corporate domain and makes it easy and fast to login to Authress. This domain also is part of your Start URL so

Now save both your AWS SAML application, and the Authress configuration, and you are done. To test out your new connection navigate to, to your AWS application portal and select the new SAML app from the dashboard or navigate to the Authress SSO Login screen and specify the AWS corporate domain value you entered earlier into your configuration.


In the event you a 403 or a 404 from AWS upon logging in, update your AWS application configuration. This error means that the attribute configuration must be updated. Review this guide for the expected attribute mapping in AWS:

AWS SSO application error