Setup AWS SSO with Google as an external identity provider

In modern organizations, managing internal authentication and authorization can be a difficult task. It is important to ensure that only authorized users have access to the appropriate resources, which can become complicated as the number of users and third-party services used grows. Managing unique login credentials for every service and user becomes impractical. This is where single sign-on comes in.

This article will guide you through the process of utilizing single sign-on to manage user access to Amazon Web Services (AWS) resources through Google’s G Suite accounts.

You will need the following tools:

• AWS account with administrator access
• Google G Suite user with administrator access

This authentication flow is shown in the following diagram.

1. IAM Identity Center initial setup

If you have not yet enabled IAM Identity Center in your account, complete the following prerequisites to get started with IAM Identity Center:

• Enable IAM Identity Center — When you choose Enable, a window populates and requests that you Create AWS organization. You must complete this step because IAM Identity Center requires AWS Organizations.
• Choose your identity source.
• Create an administrative permission set.
• Set up AWS account access for an administrative user.
• Sign in to the AWS access portal with your administrative credentials.

To set up an external identity provider in IAM Identity Center

• On the Dashboard page of the IAM Identity Center console, select Choose your identity source.

• In the Settings, choose the Identity source tab, select the Actions dropdown in the top right, and then select Change identity source.