What Is AWS® SSO?

By Zach DeMeyer Posted July 26, 2019

The Identity-as-a-Service (IDaaS), aka single sign-on (SSO), market is one that is constantly expanding. While there are some main players, like Okta and Azure® AD, other big names have entered the game as well. For instance, Amazon® Web Services (AWS®) has recently introduced their own IDaaS solution: AWS SSO. What is AWS SSO? Let’s find out.

Amazon Identity Sprawl

Before we dive into AWS SSO, however, let’s first look at AWS as a whole. AWS is the ecommerce giant’s cloud computing service, offering large cloud data centers and development tools for thousands of today’s top tech companies. Since its inception in 2006, AWS has continued to expand their product beyond simply cloud computing and storage, with a strong focus on identity management and security.

For example, AWS created a pair of solutions, called AWS Cloud Directory and AWS Directory Service. These tools enable admins to establish hierarchical relationships between objects and leverage a hosted version of Microsoft® Active Directory®, respectively. With solutions like these and others, AWS has been creating an underlying theme: an AWS identity is more valuable than just getting you into your EC2 environments or S3 buckets.

AWS SSO

As such, a main goal of AWS SSO is to help developers and operations personnel leverage their AWS credentials to access more IT solutions, primarily business web applications and other AWS services. Specifically, AWS SSO, like other SSO solutions, federates identities to these resources using the SAML (Security Application Markup Language) protocol.

In today’s IT landscape, having a unified identity is becoming paramount for identity security, so Amazon’s goal with AWS SSO makes sense. The problem seems to be in how to connect this AWS identity to a core identity provider (IdP), that is, the authoritative directory service for an organization. 

The AWS Identity Garden Wall

Of course, AWS would love for you to use the AWS Directory Service solution, which like we said is essentially Active Directory (AD) hosted in the Amazon cloud. Unfortunately, this approach creates more of an identity silo, a walled garden for an identity living almost solely in AWS. This makes it far more difficult for IT admins to control and manage non-technical people that don’t have AWS identities. 

Additionally, most modern IT organizations are leveraging a host of other platforms, such as G Suite™, Office 365™, Azure®, GCP™, etc. alongside their AWS instance. Add on top of that the fact that Windows®, Mac®, and Linux® systems also need to be managed, as well as networks, on-prem file stores, and more, and clearly, an AWS identity is not enough by itself as it does not extend to these resources.

So, while an AWS SSO solution could be interesting for a small subset of your users that only have AWS credentials, it is unlikely to fulfill an overarching identity management need. And, even further, for those looking for a True Single-Sign-On (SSO) approach where a user has one identity for systems, applications, files, and networks, even combining AWS SSO with AWS Directory Services, doesn’t quite get you there.

True Single Sign-On™ from the Cloud

Thankfully, there is a cloud directory service that provides a True SSO experience for IT admins and end users alike. This Directory-as-a-Service® connects user identities to virtually all of their IT resources—systems, applications, infrastructure, networks, and more—with a single set of credentials. IT admins can then seamlessly manage each user’s single identity at scale from a cloud admin console.

What’s more, this cloud directory solution, available from JumpCloud®, is not tied to any particular vendor, meaning that IT organizations can leverage almost any IT resource they want to, be it from Amazon, Apple®, Google, Microsoft, or anyone in between. So, for organizations who have strong identity bases in AWS, but need to authenticate said identities to other resources, JumpCloud Directory-as-a-Service is sure to be a good fit for your organization.

Learn More about JumpCloud

If you would like to learn more about JumpCloud, why not contact us today? We’d be happy to share more about Directory-as-a-Service with you. You can also read more at our blog, or check out our YouTube channel for more great content.

If you want to dive right in, you can also sign up for a JumpCloud account, which gives you full access to the Directory-as-a-Service product with ten sandbox users absolutely free. You can exercise this “trial” version of JumpCloud for free forever. Then, when you want to scale Directory-as-a-Service for your full organization, please check out our pricing page.

Zach DeMeyer

Zach is a writer and researcher for JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, making music, and soccer.

Recent Posts