Secure access to AWS-hosted apps with UserLock SSO

If there’s one use case that explains why single sign-on (SSO) is essential for enterprise authentication management, it’s Amazon Web Services (AWS), and the thousands of cloud apps it hosts.

In many organizations, admins and users may need to use dozens, or even hundreds, of AWS accounts. Without SSO, this kind of SaaS sprawl quickly becomes unmanageable and insecure.

SSO consolidates access to multiple AWS accounts under a single credential and securely centralizes their management. As with all major cloud and SaaS platforms, Amazon offers its own identity management system to achieve this, the AWS IAM Identity Center (formerly AWS SSO).

Crucially, IAM Identity Center isn’t just for managing AWS accounts. It also gives users access to thousands of AWS-hosted apps, like Salesforce, SAP, and ServiceNow, all through a single portal.

Clearly, then, whether you adopt IAM Identity Center or a third-party IdP for SSO authentication is a decision to consider carefully.

Despite its advantages for some customers, using IAM Identity Center, or any other cloud IdP, does come with downsides.

Popular third-party IdPs charge per-user, per-month fees that quickly add up. While IAM Identity Center doesn’t charge an additional fee, in real-world deployments, there might still be costs related to the underlying network or automation services.

Using a third-party IdP also has implications in terms of data sovereignty, compliance, and security. For organizations where this is a concern, keeping the authentication platform in-house is often a must.

SSO can create a single point of failure. If compromised, one credential could give criminals access to multiple resources. That’s why organizations adopting SSO always add extra security layers like strong password policies and multi-factor authentication (MFA). However, depending on the IdP, adding MFA for AWS-hosted apps is often an additional expense on top of any SSO charges, raising the final bill for SSO.

A simpler and lower-cost alternative is to implement SSO through UserLock SSO. This utilizes you existing on-premise Active Directory (AD) infrastructure without the need to use an external IdP. Admins can use UserLock SSO’s built-in tools and wizards to turn a complex setup into a manageable one.

Importantly, you don’t have to pay to add essential security layers such as granular MFA, user access control or cloud synchronization with IAM Identity Center. A UserLock subscription includes all of these out of the box.

This lets you keep in-house control over authentication while enabling secure access not just to AWS, but to the full suite of AWS-hosted SaaS apps managed via IAM Identity Center.

Support for AWS is included in UserLock SSO. Here's how to configure UserLock SSO with AWS:

1. After enabling IAM Identity Center in the AWS console and changing the identity source to an external IdP, admins upload the UserLock SSO metadata XML file (https://<your_ul_sso_url>/metadata).

2. In the UserLock console, go to Single Sign-On → Configuration. You’ll find the AWS SSO issuer URL and the AWS SSO ACS URL in the IAM Identity Center console for SAML 2.0 configuration.

3. Update the SAML certificate in AWS SSO by uploading the new SAML metadata to AWS. To do this, go to AWS SSO Settings. In Identity Source click on the Change button. Finally, put the UserLock SSO metadata url in Idp SAML metadata (https://<your_ul_sso_url>/metadata).

For detailed instructions on metadata configuration options, visit UserLock documentation.

If your focus is securing access to AWS account specifically, see our step-by-step guide to UserLock SSO for AWS.