Skip to main content
Sponsor @cloudposse

The AWS SAML component allows you to authenticate with AWS via a federated identity. This is an alternative to using AWS SSO, that provides lower-level control over the authentication process and supports multiple concurrent IdPs, but with more complexity and a reduced user experience.

As an alternative to AWS SSO, the AWS SAML creates an Identity Provider (IdP) to authenticate with AWS via a federated identity. You can use this federated identity to connect directly to a given AWS Team.

Export an Identity Provider (IdP) metadata file from the chosen provider.

0 Export an Identity Provider (IdP) metadata file from the chosen provider.

The creation of metadata files will be different for each IdP.

Here are some example setup references:

Follow the AWS documentation for Google Workspace. Once you have completed the setup, download the metadata file.

0 Import the metadata file from the chosen provider.

  1. Place this file inside the aws-saml component directory (components/terraform/aws-saml/)
  2. Commit this to version control. The filename should match the variable configured in stacks/catalog/aws-saml.yaml.

0 Deploy the SAML Integration

atmos terraform apply aws-saml -s core-gbl-identity

0 (Optional) Download AWS Extend Switch Roles Browser Extension

We suggest using the AWS Extend Switch Roles browser extension to simplify role-switching in the AWS Console. This is optional but particularly helpful if you’re not using AWS IAM Identity Center.

Please see the AWS Extend Switch Roles plugin.

Once you've downloaded the plugin, take the aws-config file from within the rootfs/etc/aws-config directory in your infrastructure repository. Paste this into the AWS Extend Switch Roles plugin configuration.