*Renamed from AWS SSO to AWS IAM Identity Center. Most of the note below still references it as SSO.* > AWS Single Sign-On (SSO) makes it easy to centrally manage access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place. With AWS SSO, you can easily manage access and user permissions to all of your accounts in AWS Organizations centrally. AWS SSO configures and maintains all the necessary permissions for your accounts automatically, without requiring any additional setup in the individual accounts. You can assign user permissions based on common job functions and customize these permissions to meet your specific security requirements. AWS SSO also includes built-in integrations to many business applications, such as Salesforce, Box, and Microsoft 365. ## How it works ![[AWS-SSO-HowItWorks.png]] ## Login process for AWS's built-in SSO identity store 1. User authenticates using SSO login portal 2. When logged in, they are displayed screen showing all accounts they have access to, and for each account, what "Permission Sets" they can connect as. 3. When they choose a specific permission set to connect to a specific account with, the SSO user assumes an IAM role in the target account which was generated for the selected permission set, e.g. `AWSReservedSSO_SystemAdministrator_154c60dd58e0c362` More info: > An IAM role is similar to an IAM user in that it is an AWS identity with permissions policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. IAM roles with temporary credentials are useful for **Federated user access** – Instead of creating an IAM user, you can use existing identities from AWS Directory Service, your enterprise user directory, or a web identity provider. These are known as _federated users_. AWS assigns a role to a federated user when access is requested through an [identity provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html). ## Tools - [serverless-better-credentials](https://github.com/thomasmichaelwallace/serverless-better-credentials) - [[Serverless Framework]] plugin to workaround lack of direct support in framework for SSO --- ## References - https://aws.amazon.com/single-sign-on/ - [Identity and access management for AWS SSO](https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access.html)