TEXAS A&M UNIVERSITY
AWS SSO Configuration
Audience: Identity Engineers and Cloud Administrators.
Purpose: Reference documentation for the Azure AD to AWS Identity Center integration.
Overview
The Aggie Innovation Platform (AIP) uses Azure AD as the identity provider for AWS access via SAML-based single sign-on. This configuration enables users to access AWS accounts using their TAMU credentials.
Azure AD Configuration
Enterprise Application Details
| Property | Value |
|---|---|
| App Name | aip-sso-aws-aip |
| Application ID | a009c583-539e-4545-ae05-000030a0f56c |
| Identifier (Entity ID) | https://us-east-2.signin.aws.amazon.com/platform/saml/d-9a672570e4 |
| Reply URL (ACS) | https://us-east-2.signin.aws.amazon.com/platform/saml/acs/13ac5c10-de94-492a-8422-202b47d78c85 |
Configuration Sections
SAML Configuration
The enterprise application is configured for SAML-based sign-on with:
- Custom claim mappings for AWS roles
- Group-based provisioning
- Automatic user provisioning via SCIM
Key SAML attributes:
Role- Maps to AWS IAM rolesRoleSessionName- User principal nameSessionDuration- Token validity period
User & Group Provisioning
Users and groups are synchronized from Azure AD to AWS Identity Center:
- Automatic provisioning enabled
- Group membership determines AWS account access
- Permission sets assigned based on group membership
Conditional Access
Conditional access policies apply to the AWS SSO application:
- MFA required for all users
- Compliant device requirements
- Location-based restrictions (as configured)
AWS Configuration
Identity Center Details
| Property | Value |
|---|---|
| Instance ARN | arn:aws:sso:::instance/ssoins-6684f9cac4d508fc |
| User Portal URL | https://aggie-innovation-platform.awsapps.com/start |
| SCIM Endpoint | https://scim.us-east-2.amazonaws.com/Hw50c64ab87-a643-4a89-823a-8338fa1f791d/scim/v2/ |
Permission Sets
Permission sets define the level of access users receive in AWS accounts:
| Permission Set | Description | Use Case |
|---|---|---|
| AdministratorAccess | Full administrative access | Account owners, senior engineers |
| PowerUserAccess | Full access except IAM | Developers, operators |
| ViewOnlyAccess | Read-only access | Auditors, reviewers |
| SecurityOperations | Security-focused permissions | Security team members |
Quick Access
User Portal
Access your AWS accounts at: aggie-innovation-platform.awsapps.com/start