AWS SSO activation and basic configuration

Hi, I’m Agata.

In this article, we will try to activate AWS SSO and do some minimal basic configuration.
The general flow is as follows.

1. Enable all features in Organisations
2. Enabling AWS SSO
3. Configure identity management in AWS SSO
4. Configuring access management for AWS accounts
5. Enabling MFA

To be decided in advance

The identity source to be used for SSO must be determined.
The following identity sources can be selected

• Identity management with AWS SSO
• Microsoft Active Directory (official documentation)
• External identity providers supporting SAML (official documentation)

Here we will use and configure the simplest AWS SSO default identity management.

Activate all features in Organisations

AWS official documentation

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html

Attention

• When the process of enabling all features is initiated, AWS Organisations sends a request to all member accounts that have been invited to the organisation.
• All invited accounts need to approve enabling all features by accepting the invitation request.
• Once all features are enabled, it is not possible to revert to ‘only consolidated billing features’.

Activation procedure for all features

1. Log in to your AWS Organisations management account
2. Access the AWS Organizations console
3. Click on Settings
4. Click ‘Begin process’, an invitation request to enable all features will be sent to each AWS account
5. Log in to each AWS account as an IAM user, role or root account with Organizatinos rights and accept the invitation request

Enabling AWS SSO

AWS official documentation

https://docs.aws.amazon.com/singlesignon/latest/userguide/getting-started.html

Using AWS Control Tower simplifies the procedure, but can be problematic when applying to existing ones, so Control Tower is not used here and the configuration is done manually.

Attention

• Only one AWS SSO can be configured per Organisations.
• AWS SSO is configured in one specific region on the Organisations’ managed AWS account (it cannot be deployed in multiple regions).

Prerequisite

• ‘Enable all features’ in Organisations must be set.
• Must be configured in the AWS Organisations administration account. (Cannot be set up in a member account).
• Determine the identity source and make the necessary settings. (In this case, the AWS SSO identity source is used, so the settings are almost automatically configured.)
• If URL filtering is in place, allow access to the following domains or URLs.
  • DNS domains
    • *.awsapps.com (http://awsapps.com/)
    • *.signin.aws
  • URL End-points
    • https://[yourdirectory].awsapps.com/start
    • https://[yourdirectory].awsapps.com/login
    • https://[yourregion].signin.aws/platform/login

Enabling procedure

1. Sign in to the AWS Management Console with the credentials of your AWS Organisations management account.
2. Navigate to the region where you want to configure AWS SSO.
3. Open the AWS SSO console.
4. Select Enable AWS SSO.

Identity management in AWS SSO

Broadly, the following steps are involved.
Note that unlike IAM, access rights are not part of the group or user settings.

1. Adding groups
2. Adding users
3. Adding users to a group

Adding groups

1. Open the AWS SSO Console.
2. Click Groups.
3. Click Create group.
4. Enter a group name and click Create group.

Adding users

1. Open the AWS SSO Console.
2. Click Users.
3. Click Add user.
4. Enter the username, password setting method, email address, first name, surname and click Next.
5. Select the group to belong to and click Next.

Managing access to AWS accounts

Follow these steps.

1. Creating permission sets
2. Assigning user access
3. Enabling MFAs

Creating permission sets

1. Open the AWS SSO Console.
2. Click Permission Sets.
3. Click Create permission set.
4. Select a predefined or custom permission set. Initially, it is easier and better to use what you need from the predefined permission sets.
5. Select what you need from the predefined permission set and click Next.
6. Specify the details of the permission set and click Next. It is a good idea to change the session duration according to your working needs.
7. Click Create on the confirmation screen.

Assignment of user access

1. Open the AWS SSO Console.
2. Click on AWS Accounts.
3. Check the box for the AWS account you wish to configure.
4. Click Assign user or group.
5. You can assign users or groups, but it is recommended to assign in groups, so click the Groups tab.
6. Select the group to assign and click Next.
7. Select the permission set to assign.
8. Click Submit on the confirmation screen.

Enabling MFAs

Enable MFA as it is disabled by default in AWS SSO.

1. Open the AWS SSO Console.
2. Click on Settings.
3. Click the Network and Security tab.
4. Click Settings.
5. Configure MFA as follows.
6. Only if the sign-in context has been changed.
7. Authenticator application.
8. Require MFA device to be registered at sign-in
9. Click Save changes.