SSO (single sign-on), efficiency and security at the same time

Recently, the complexity of account management is growing as organizations use a variety of software as a service (SaaS) applications. Individual logins to each application are not only cumbersome, but can also pose a security threat. To address these issues, many organizations are adopting single sign-on (SSO) solutions. SSO provides both user convenience and security by allowing access to multiple applications with a single login. In particular, applying SSO to critical cloud services such as Amazon Web Service (AWS) can greatly improve the efficiency of account management.

‍

POPs, a SaaS management platform, also supports employees to easily access all permitted SaaS apps with a single account and a single login. In this article, we'll discuss how to easily access the AWS console with the SSO function provided by POPs.

‍

‍

‍

Why SSO is important

Single sign-on (SSO) has become an essential part of the modern business environment.

‍

1. Maximizing ease of use

SSO allows users to connect to all services with a single authentication without having to go through a separate login process every time they access multiple SaaS applications. This greatly enhances the user experience.

‍

2. Enhanced security

SSO enables centralized authentication management, and security incidents can be prevented by reducing password reuse or weak password usage. This plays an important role in strengthening enterprise data security.

‍

3. Improving IT department work efficiency

SSO reduces the burden on IT staff by simplifying account management, access authorization, and retrieval processes. This contributes to increasing the operational efficiency of the organization.

‍

4. Easy to comply

SSO can centrally manage access logs, making it easy to meet regulatory requirements. This helps companies comply with legal requirements.

‍

For this reason, SSO plays an important role in an enterprise's IT strategy, and can simultaneously achieve ease of use, enhanced security, work efficiency, and compliance.

‍

‍

‍

Accessing the AWS Console with SSO on POPs

When you log in to POPs, you can view all assigned SaaS apps at a glance that can be used with a single sign-on. If you click the AWS Console app in the launcher, you can connect directly to SSO. To do this, you must first add the AWS Console app in the POPs admin.

‍

‍

‍

Adding an AWS Console App to POPs

‍

1. Download the metadata needed to add an AWS Console app from POPs

1. Log in to the POPs admin with an administrator account.

2. Select an app from the menu, and then click View App Catalog.

3. In the app catalog, click the AWS Console app.

4. On the AWS Console app details screen, click [Add App].

5. On the Add App screen, click [Download Metadata] to download the SAML IdP Metadata file.

‍

‍

2. Go to the AWS Console, sign in, and check the identity provider ARN

1. Go to the IAM > Identity Providers menu in the AWS Console and click Add Provider.

2. On the Add Credential Provider page, select SAML as the provider type, upload the downloaded SAML IdP Metadata file to the metadata document, and then click Add Provider.

3. From the list of credential providers, click the name of the credential provider you added to go to the detail page.

4. On the credential provider detail page, copy and keep the credential provider ARN.

‍

‍

3. Check the identity provider's role ARN in the AWS console

1. In the AWS console, go to the IAM > Access Management > Identity Providers menu.

2. From the list of credential providers, select POPs.

3. Click the Assign Role button to assign a role. There are two ways to assign roles: creating a new role and assigning it, and selecting a role with the appropriate permissions from an existing role.

‍

‍

• Assigning new roles

1. On the credential provider details screen, click the [Assign Role] button and select [Create New Role].

2. On the role creation screen, select the following items and click the [Next: Policy] button.

• Select trusted types of objects: SAML 2.0 integration
• SAML provider: Select the identity provider you added and select 'Allow programmatic and AWS Management Console access'

3. In the Attach Permissions Policy step, select the policy you want to link to the role, and then click the [Next: Tag] button.

4. In the Add Tags step, add the required tags and click the [Next: Review] button.

5. After entering all required information during the review step, click the [Create Role] button.

6. On the details screen of the role you created, copy the role ARN and keep it.

‍

‍

• Assigning existing roles

1. On the credential provider details screen, click the [Assign Role] button and select [Use an existing role].

2. Select the role you want to assign from the list of roles to go to the detailed screen for that role.

3. On the Permissions tab on the role details screen, click [Attach Policy] to select the policy you want to link, and click the [Attach Policy] button.

4. On the Trust Relationship tab on the role details screen, click [Edit Trust Relationship], replace “Principal” as shown below, and click the [Update Trust Policy] button.

“federated” :" {{credential provider ARN}}”

5. Return to the role details screen and copy the role ARN and keep it.

‍

‍

4. Go back to the POPs admin to finish adding the AWS Console app

1. On the Add an App screen in the POPs admin, enter all the required values for SAML settings.

2. In the Role pair field of the required login attribute, enter the identity provider ARN and role ARN that you copied and saved from the AWS console in the following format: The field values you enter are provided as a selection of roles to be granted when assigning the AWS Console app to users after adding the app. You can add multiple role pairs.

arn:aws:iam: :123456789012:role/role name, arn:aws:iam: :123456789012:saml-provider/credential provider name

3. Click Add App to finish adding the AWS Console app.

‍

‍

‍

At the end

Megazone Cloud, which created POPs, believes that smooth work progress is an important factor in the employee experience. Individual login authentication processes for SaaS are integrated into SSO to make it easy for employees to run the SaaS products they want. There isn't a single day that Megazone Cloud employees don't use POPs to connect to the SaaS they need:)

‍

👉 Learn more about SSO features