Unable to change SSO Idp to AD instance in member account

Hello,

In regards to AWS SSO and Organization, the following points are needed to be considered -

1. When you designate a member account as a delegated administrator for the organization, users and roles from that account can perform administrative actions for AWS SSO that otherwise can be performed only by users or roles in the organization's management account. [1]

2. Here is an AWS table that clarified on the tasks that can be performed in the delegated administrator account [2] - One of these AWS SSO administrative tasks is -> "Change or manage identity sources". Hence, your delegated member administrator account should be able to change the identity source.

To confirm on the same, I ran a quick test in my own environment -

1. Logged into AWS management account and registered a member account as a delegated admin account [7].
2. Created an Azure AD AWS Single Sign-on Enterprise application and configured the SAML options [8].
3. After that I signed into the delegated Admin member account and changed the Identity Source from "AWS SSO" to "External identity provider" in AWS SSO Console settings using the information collected from Azure AD such as Sign In URL, Issuer URL, IdP certificate [9].
4. The identity source for AWS SSO was changed to External identity provider - AD Azure without any errors.
5. I also confirmed that I was able to revert back to AWS SSO as IdP Source as well using delegated Admin member account.
6. After this I also deployed a AWS Managed Microsoft AD [11] in delegated Admin member account in AWS Directory Service in the same region as the AWS SSO to test the behavior of changing IdP Source to Azure AD this time.
7. Once the Directory was created in the delegated member account, I switched to AWS SSO Console in the delegated Admin member account, and was able to see and select the recently created directory listed when changing IdP source to Azure Directory.
8. I was also able to successfully change the IdP from AWS SSO to Active Directory's -> AWS Managed Microsoft AD directory using Delegated Admin member account as seen from the output below, and after which I was successfully able to revert back to AWS SSO IdP source as well.

Output -
Active Directory connected to AWS SSO successfully. To add users and groups to the sync scope, do one of the following: 1) Choose Start guided setup, and follow the steps to configure your sync scope, or 2) Choose Manage sync, and add users and groups as required to configure your sync scope.

Hence, this testing confirmed that the change in identity source can be made using Delegated Admin member account.

Also please note that the delegated administrator account will not be able to perform the following actions [3]:

- Delete the AWS SSO configuration.
- Delegate (to other accounts) administration of AWS SSO.
- Manage user or group access to the management account.
- Manage permission sets that are provisioned (have a user or group assigned) in the = organization management account.

---

Now considering your scenario -

"I would like to reconfigure the SSO to use a different Idp that is an AWS managed AD instance in a member account."

• Your AWS resource - "AWS managed AD instance" as you stated is in the member account, hence only the member account will be able to access the AWS resource.
• Although a question here comes to my mind, have you shared your directory as well? [6]

"When I try to change the Idp from the management account I only see the AD instance in that account as an option."

• This should be expected behavior as the management account will only be able to access the resources found in the management account. Remember that you are logged/signed in your management account so you only have access to your account's AWS resources.
• You can setup up cross account access for resources by assuming a role in another account to access it's resources or in cases like with Secret Manager, S3, the resource based policies attached to these resources can allow access.

"When I try to change the Idp from the delegate member account I dont have the option to change to Idp."

• So if I understand this correctly, you mean to say that you are not even seeing the option to change the IdP source to say "Active Directory" or "External identity provider" in your settings in your AWS SSO Console from delegated member account Peter? Example Screenshot
• Also can you confirm that your AD directory exists in the same region as the AWS SSO as well? The reason I ask this query is because to connect AWS SSO to AWS Managed Microsoft AD, you need to make sure that the AWS SSO console is using one of the Regions where your AWS Managed Microsoft AD directory is located [10].
• Please note that AWS SSO requires a directory/store in place before you configure an identity source as "External Identity Provider" as part of the prerequisites. [4]
• AWS SSO store is created by default once you enable AWS SSO and is immediately ready for use. The reason for these requirements is that if you delete or switch to/from external IdP, your entitlements will be preserved by the AWS SSO's own directory as per AWS SSO considerations documentation.
• If the prerequisite directory/store doesn't exist, then I have seen in the past that the option to change to External Identity Provider on the UI is missing because the pre-req isn't met and to resolve the issue, one need to first meet the pre requisite by creating an AWS SSO directory after which the option to change to external identity provider appears on the UI. I am wondering if you are facing a similar case scenario with your AD managed instance.

To be able to troubleshoot this further Peter, and be able to take a look at your AWS resources to see what might be going on, I would request you to create a support case with our AWS SSO Premium Support team directly so as to investigate the behavior you are currently facing regarding not seeing the option to change IdP.

I hope the above shared information was able to shed light on tasks that can/cannot be performed by Delegated Admin account in your AWS SSO.

---

References:

[1] https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-sso.html

[2] Delegated administration - What tasks can be performed in the delegated administrator account - https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html#delegated-admin-tasks-member-account

[3] https://aws.amazon.com/blogs/security/getting-started-with-aws-sso-delegated-administration/

[4] AWS SSO prerequisites https://docs.aws.amazon.com/singlesignon/latest/userguide/prereqs.html

[5] Considerations for changing your identity source - Changing between AWS SSO and an external identity provider https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-considerations.html#changing-between-sso-and-azure-active-directory

[6] https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_directory_sharing.html

[7] Delegated administration - Register a member account - https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html#delegated-admin-how-to-register

[8] Tutorial: Azure AD SSO integration with AWS Single Sign-on - https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/aws-single-sign-on-tutorial

[9] Change your identity source - https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-change.html

[10] Connect AWS SSO to an AWS Managed Microsoft AD directory - https://docs.aws.amazon.com/singlesignon/latest/userguide/connectawsad.html

[11] Create your AWS Managed Microsoft AD directory - https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_getting_started_create_directory.html