---
locale: "en"
updated_at: "2025-10-27T22:49:25.749Z"
canonical: "https://www.isdecisions.com/en/userlock/docs/guides/sso/configure-the-applications/aws"
---

# Configure AWS for UserLock SSO

Configure UserLock SSO for Amazon Web Services.

## Introduction

This guide explains how to integrate Amazon Web Services (AWS) with UserLock Single Sign-On (SSO) using the SAML 2.0 protocol.

Once configured, AWS logins are authenticated by UserLock against Active Directory. This provides a seamless sign-in experience and allows administrators to enforce UserLock [access policies](/userlock/docs/reference/core-concepts/access-policies) (MFA, time, machine, or location restrictions) on AWS sessions.

🚩 **Before starting:**

- You need an **AWS Organization account** and a **test user account** available in AWS.
- **UserLock SSO** must already be [installed and configured](/userlock/docs/guides/sso/install-configure-sso).

## Step 1. Configure AWS for Single Sign-On

1. Go to **UserLock console▸ **⚙** Server Settings▸ Single Sign-On**
2. Click on **Download ▸ Metadata file.**
3. Open the **AWS console**.
4. Enable **AWS SSO**.
5. In **Settings**, change the **Identity Source** to **External Identity Provider**.
6. Under **Identity Provider metadata**, upload the UserLock metadata file previously download.
7. In the **AWS accounts** section, select your AWS account and click **Assign Users**.
  - Add the test user account.
8. Launch the **User portal URL** (available in AWS SSO Settings) to verify that the integration works.

> **Note**
>
> 💡 **Best practice**: start with a single test user before rolling out to production.

## Step 2. Configure AWS in UserLock console

1. In the UserLock console, go to ⚙ **Server settings ▸ SSO**.
2. Click on the **AWS** row.
3. Fill in the fields with information from the AWS SSO console:
  ![](https://a.storyblok.com/f/122374/757x441/85ad44a562/aws-authentication.png)
  | Settings | Values |
  | --- | --- |
  | Email domain | The domain used by your AWS users (e.g. contoso.com). |
  | Issuer | Copy / paste **AWS SSO issuer URL** from the AWS SSO console |
  | ACS URL | Copy / paste **AWS SSO ACS URL** from the AWS SSO console |
  ![](https://a.storyblok.com/f/122374/585x788/87fc240aa1/aws-settings.PNG)

## Renew the SAML certificate

When the SAML certificate expires in UserLock, you must update AWS with the new metadata.

1. In the AWS SSO console, go to **Settings**.
2. In **Identity Source**, click **Change**.
3. Enter the new UserLock SSO metadata URL in the **IdP SAML metadata** field: `https://<your_ul_sso_url>/metadata`

## Troubleshooting

For common issues, see [Troubleshooting SSO](/userlock/docs/support/troubleshooting/sso-issues).
If the problem persists, please contact [IS Decisions Support](/support).

## Next steps

You can extend the security of SSO sessions by applying UserLock access policies in addition to authentication.

- [Apply MFA on SaaS connections](/userlock/docs/guides/mfa-implementation/mfa-for-sso) to require stronger authentication.
- [Hour restrictions](/userlock/docs/reference/access-policies/time-restriction): define when users are allowed to connect.
- [Geolocation rules](/userlock/docs/reference/access-policies/geolocation): enforce access policies based on user location.
- [Session limits](/userlock/docs/reference/access-policies/session-limit): allow or deny SaaS logins entirely for specific users.
