AWS SSO for end user customer application

I'm doing some analysis for a customer regarding multiple end-user applications they run. Right now, both have a separate user databases and now want to provide an SSO experience.

They threw out a bunch of SSO providers, specifically the new AWS SSO service. From reading what AWS SSO, my question is, AWS SSO seems more applicable for managing internal users for a company (ie using the same credentials for JIRA, sharepoint, and their company portal) and not really applicable for handling hundreds of thousands of end-user customer accounts.

Is my understanding of the purpose of AWS SSO correct? Like, I'm sure AWS SSO could work with end-user clients, but is that the applicable use case here? Is there a better SSO provide in this case to deal with SSO for end users?

1 answer

  • answered 2018-01-11 20:49 Eleazar Enrique

    Definitely, is not a good choice for end-users.

    This is the entry splash at AWS Console.

    Before you can start managing SSO access to your AWS accounts, you must go to the AWS Organizations console and create an organization with All features enabled. For more information, see AWS SSO Prerequisites

    Look at this splash from AWS Console

    enter image description here

    AWS Organizations console and create an organization

    That phrase explains what target was created for. So you're right:

    AWS SSO seems more applicable for managing internal users for a company (ie using the same credentials for JIRA, sharepoint, and their company portal) and not really applicable for handling hundreds of thousands of end-user customer accounts.

    I recommend you to use AWS Cognito as Single-sign-on

    Using Cognito you will have a few challenges:

    The problem would be passing token(with an expiry value) from site A to B securely. There is no built in SSO facility provided by Cognito. You would have to manage the encrytion, storage & transfer of tokens yourself. Reference: How to use AWS Cognito as Single-sign-on?

    Take a look at this post:

    Use Amazon QuickSight Federated Single Sign-On with Amazon Cognito User Pools

    Hope this gives you a little more information to accomplish your scenario.