AWS SSO with self-managed Microsoft AD trust relationship to another AD

Question

We already have a self-managed AD that is connected to the Identity Center. For our customers, we want to create AWS accounts in our Organization and provide them with SSO access to the new accounts through their AD.
As per the following article, it's possible to do so between AWS Managed Microsoft AD and a self-managed directory in AD. But can we do the same two-way trust relationships between two self-managed ADs, where one is connected to the Identity Center? As a result, they will be able to do SSO via their AD even though it's not connected to the Identity Center, only our AD is connected.
https://docs.aws.amazon.com/singlesignon/latest/userguide/connectonpremad.html

Answer

To set up SSO access for your customers using two self-managed ADs, where one is connected to AWS IAM Identity Center (previously AWS SSO) and the other belongs to your customers, you need to make both ADs trust each other. This lets your customers' AD users log in to AWS resources without directly connecting to the Identity Center, with only your AD connected.

The article you mentioned talks about linking a self-managed AD with AWS Managed Microsoft AD, setting up trust between two self-managed ADs is somewhat similar in concept. Here's an overview:

1/Network Connection: Make sure the network works between the two AD domains (yours and your customers').
2/Trust Setup: On both AD domains, you need to set up a two-way trust. Optional: User Sync: Depending on what you need, you might choose to sync some users or groups between the ADs to make management easier.
3/AWS Access Setup: On the AWS side, you'll need to set up IAM Identity Center to recognize and authenticate users from your customers' AD.

AWS SSO with self-managed Microsoft AD trust relationship to another AD

Relevant content