By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

SSO For Extra Accounts Added under Root

0

This may or may not be simple. I have been reading several articles on how to implement SSO for an account; however, I have not seen one which explains how to do this for multiple accounts without using the new AWS Identity Manager (I will use this in the future, but I am not sure of the implications of using this without causing some access issues to our users). I inherited this environment not to long ago. Scenario: I was tasked with adding two brand new AWS account to our root account, We currently have SSO setup for the root accoun in Azure. When I navigate to the AWS Access portal (SSO), I thought that the new account would show up there, but it does not. When I try to create another shortcut for the account, it does not show in the drop down. Do I have to create another Azure app and configure SSO in order for it to work properly with the new account? I thought that the sub account acquired SSO permissions from the root account. See images: Accessportal Shortcut-Creation

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
Security, Identity, & ComplianceAWS OrganizationsAWS IAM Identity CenterAWS Account Management
Language
English
TheBuilder13
asked a month ago71 views
2 Answers
0
Accepted Answer

Hello.

Since sign-in via SSO has already been successful, integration with Azure AD should be possible.
The answer from AWS re:Post Agent is useful for troubleshooting if integration with Azure AD is not possible, but I don't think it's useful in your case.
Have you linked your AWS account to your user by following the steps in the document below?
If you do not do this, your AWS account will not be displayed on the SSO dashboard.
https://docs.aws.amazon.com/singlesignon/latest/userguide/get-started-assign-account-access-user.html

profile picture
EXPERT
Riku_Kobayashi
answered a month ago
profile pictureAWS
EXPERT
Jordan Sandri
reviewed a month ago
  • TheBuilder13
    a month ago

    Dude, that was the answer. Thank you so much. I spent hours researching something so simple. God Bless.

0

Based on the scenario you've described, it appears that you're using Azure AD for Single Sign-On (SSO) with your AWS root account, but the newly added AWS accounts are not automatically appearing in your AWS Access portal. This is because simply adding new accounts to your AWS Organization does not automatically extend the SSO configuration to those accounts.

To enable SSO access for the new accounts, you'll need to take a few additional steps:

  1. You don't need to create a new Azure app for each AWS account. Instead, you should update your existing Azure AD enterprise application for AWS.

  2. In your Azure AD configuration for AWS SSO, you'll need to add the new AWS account IDs to the list of accounts that can be accessed via SSO. This is typically done by updating the SAML claims or attributes sent by Azure AD to AWS.

  3. On the AWS side, you'll need to configure the trust relationship between the new AWS accounts and the Identity Provider (IdP), which in this case is Azure AD. This usually involves updating IAM roles in the new accounts to trust the Azure AD IdP.

  4. After updating the Azure AD configuration and AWS IAM roles, you should be able to see the new accounts in your AWS Access portal and add shortcuts for them.

  5. Finally, ensure that you've assigned the appropriate users or groups in Azure AD the permission to access these new AWS accounts.

Remember, the SSO configuration is not automatically inherited by sub-accounts from the root account. Each account needs to be explicitly included in the SSO setup, although this can be managed centrally through your existing Azure AD application for AWS.

For future reference, using AWS IAM Identity Center (formerly AWS SSO) could simplify this process significantly, as it's designed to manage access across multiple AWS accounts more seamlessly. However, transitioning to it would require careful planning to avoid disrupting your current users' access.
Sources
How as a root or IAM user do I access multiple organizations under my AWS hierarchy with one single user login | AWS re:Post
Create an SSO and Identity Store using Cloudformation | AWS re:Post
Implementing Federated SSO with IAM Identity Center and Google Workspace for Linked Accounts | AWS re:Post

profile picture
re:Post Agent
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content