To improve security, enhance user experience, and address compatibility with future AWS Identity changes, AWS Single Sign-On (SSO) is making changes to the sign-in process that will affect some AWS SSO customers. The changes will go into effect globally in early October 2020.
- The AWS SSO sign-in pages are moving to a new top-level DNS domain: signin.aws. To prepare for the change, if your network and security administrators currently filter access to specific Amazon Web Service (AWS) domains or sign-in endpoints, they must add the new sign-in domain to their allow-lists.
- The AWS SSO user experience for sign-in, password change, and user invitation flows will change if you use the AWS SSO built-in identity store or Microsoft Active Directory. No action is required from you as an AWS SSO administrator, but you might need to prepare your users by updating training materials and documentation.
What is AWS SSO?
AWS SSO makes it easier to centrally manage access to multiple AWS accounts and business applications. It also enables you to provide users with single sign-on access to all their assigned accounts and applications. With AWS SSO, you can use the AWS SSO identity store to create and manage user identities or connect to your existing identity source, including Microsoft Active Directory, Okta Universal Directory, and Azure Active Directory. To learn more, visit the AWS SSO page.
What is AWS SSO user portal?
The AWS SSO user portal is a central place where your users can see and access their assigned AWS accounts, roles, and applications. You provide an AWS SSO user portal URL to your users where they sign in to AWS accounts and services and to integrated AWS and third-party applications.
While signing in, users first navigate to the user portal URL: https://[yourdirectory].awsapps.com/start. If you’re using the AWS SSO identity store or Microsoft Active Directory, users are presented with the page at https://[yourdirectory].awsapps.com/login to sign in. If you’re using an external identity provider (IdP), users are redirected to the AWS SSO page at https://[yourdirectory].awsapps.com/login first, and from there are redirected to the external IdP sign-in page. After successful authentication, users are redirected back to the AWS SSO SAML endpoint with a SAML response.
You can also implement an external IdP-initiated SAML flow, providing users with an IdP user-portal URL. From there, users are redirected to the AWS SSO SAML endpoint and then to the AWS SSO user portal without accessing the AWS SSO URL (https://[yourdirectory].awsapps.com/login).
What’s changing and how to prepare?
New AWS SSO sign-in domain
The new AWS SSO sign-in domain will affect only AWS SSO customers who use web content filtering solutions such as next-generation firewalls (NGFW) or secure web gateways (SWG) to control access to AWS sign-in domains. In October 2020, AWS SSO will move its sign-in page from https://[yourdirectory].awsapps.com/login to https://[yourregion].signin.aws/platform/login. If you control access to specific AWS domains, you must add the new domain—signin.aws—to your allow-list.
After the change, your users will first navigate to an AWS SSO URL—https://[yourdirectory].awsapps.com/start then https://[yourdirectory].awsapps.com/login—which will stay on the awsapps.com domain. Your users will then be redirected to the new sign-in page at https://[yourregion].signin.aws/platform/login, residing on a new signin.aws top-level DNS domain. There, depending on your AWS SSO identity store configuration, users will either provide their sign-in credentials or be redirected to your external IdP sign-in page for authentication.
Note that adding the signin.aws domain to your web content filtering allow-lists before the change won’t impact the current system behavior. We encourage you to add the new sign-in domain as soon as possible.
No action is required if you don’t explicitly control allowed sign-in domains.
Note: If your users are using a password manager to sign in to AWS SSO, and you’re using AWS SSO native identity store or Microsoft Active Directory, password manager’s functionality may also be affected by the new signin.aws domain. You may need to prepare your users to update their password manager configuration.
Changes in AWS SSO user experience
The user experience changes will affect only AWS SSO customers who use the AWS SSO native identity store or Microsoft Active Directory as their AWS SSO identity source. The new user experience will go into effect automatically and won’t require any action by you as an AWS SSO administrator. However, you should be aware of the change, and might need to update any related documentation and user training materials.
For usability and enhanced security, the new AWS SSO sign-in will split entry of the username and password into two steps, as shown in Figure 1. This is the only change to the AWS SSO sign-in flow user experience.
Another change will affect the invite and password change flows. The current flows let users sign in automatically after updating or setting a new password. For security reasons, the new flows will require users to sign in again with their new password.
The user experience changes won’t affect customers using AWS SSO with external IdPs.
Need more assistance?
AWS IQ enables AWS customers to find, securely collaborate with, and pay AWS Certified third-party experts for on-demand project work. Visit the AWS IQ page for information about how to submit a request, get responses from experts, and choose the expert with the right skills and experience. To start a request, sign in to your console and select Get Started with AWS IQ to start a request.
If you have any questions or issues, contact AWS Support or your technical account manager (TAM). If you have feedback about this post, submit comments in the Comments section below.
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.