Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Configure SSO from Salesforce to Amazon Web Services

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Configure SSO from Salesforce to Amazon Web Services

            Let your users log in to Amazon Web Services (AWS) using single sign-on (SSO) from your Salesforce org configured as an identity provider.

            Required Editions

            Available in: Lightning Experience and Salesforce Classic
            Available in: Enterprise, Performance, Unlimited, and Developer Editions

            Configuring Salesforce as an identity provider for AWS involves these high-level steps.

            • Get a SAML IdP Certificate.
            • Download the Metadata Document
            • Create a SAML Provider on AWS
            • Create and Configure a Connected App on Salesforce

            See Also

            Get a SAML IdP Certificate

            Get a certificate, either self-signed or issued by a certificate authority, to use to set up service providers. Save the certificate on your local drive.

            Download the Metadata Document

            1. From Setup, enter Identity in the Quick Find box, and then select Identity Provider.
            2. Click Download Metadata.

            On the same page under SAML Metadata Discovery Endpoints, make note of the Salesforce Identity, for example, https://MyDomainName.my.salesforce.com/.well-known/samlidp.xml.

            Create a SAML Provider on AWS

            Follow AWS instructions to create a SAML identity provider. Log in to the AWS Console as an administrator, navigate to Identity Providers, and follow the instructions to create a SAML provider. AWS generates an Amazon resource number (ARN) for the provider, which you need in a later step.

            1. Upload the metadata document from your local drive. AWS generates the ARN for your identity provider, for example, arn:aws:iam::365652557137:saml-provider/salesforce. Save the ARN to your local drive.
            2. Create one or more roles with the desired policy for users. For each role:
              1. Create a role for Identity Provider Access.
              2. Grant Web Single-Sign-On (WebSSO) access to SAML providers.
              3. Set the desired permissions.
              4. Save the ARN for the role, for example, arn:aws:iam::365652557137:role/SSOUserRole.

            Create and Configure a Connected App on Salesforce

            1. From Setup, enter External Client Apps in the Quick Find box, then select Settings in the External Client App section.
            2. Turn on Allow creation of connected apps, if it's off.
            3. Click New Connected App.
            4. Configure settings for the connected app. Under Basic Information: name the app Amazon Web Services and enter your own email address.
            5. Under Web App Settings:
              1. Select Enable SAML.
              2. For Entity Id, enter https://signin.aws.amazon.com/saml.
              3. For ACS URL, enter https://signin.aws.amazon.com/saml.
              4. For Subject Type, select Persistent ID.
              5. For Name ID Format, select urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
              6. For Issuer, keep the default value, your subdomain.
              7. In the field IdP Provider Certificate, keep the default (unselected).
              8. For Verify Request Signatures, keep the default (unselected).
              9. Click Save.
              Note
              Note It can take a few minutes for Salesforce to create the connected app.
            6. From Setup, enter Apps, in the Quick Find box. If you’re using Lightning Experience, select Manage Connected Apps. If you’re using Salesforce Classic, under Manage Apps select Connected Apps.
              aws connected app
            7. Click Amazon Web Services. The connected app detail page appears.
            8. Under Custom Attributes, click New to create custom attributes.
              1. For the attribute key, enter https://aws.amazon.com/SAML/Attributes/RoleSessionName. For the attribute value, enter $User.Email.
              2. For the next attribute key, enter https://aws.amazon.com/SAML/Attributes/Role. For the attribute value, enter 'arn:aws:iam::365652557137:role/SSOUserRole,arn:aws:iam::365652557137:saml-provider/salesforce'.
                The attribute value is the saved AWS ARN value for the role and the ARN value for the IdP provider, separated by a comma and entered within single quotes. aws connected app attributes
                Tip
                Tip Consider creating a custom user attribute as a picklist with your Amazon roles, allowing you to dynamically select a user’s role.
            9. Configure the Start URL for the connected app.
              1. On the connected app detail page, copy the IdP-Initiated Login URL from under SAML Login Information.
                aws connected app login
              2. Click Edit Policies.
              3. For Start URL under Basic Information, paste the IdP-Initiated Login URL and click Save.
            10. Under Profiles or Permission Sets, add the profiles or permission sets of users who can access this app.
            11. To test access, run the connected app as an end user.
             
            Loading
            Salesforce Help | Article