Initiating sign-on from the identity provider (IdP) - Amazon Quick Suite
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Initiating sign-on from the identity provider (IdP)

   Applies to: Enterprise Edition and Standard Edition 
   Intended audience: System administrators 
Note

IAM identity federation doesn't support syncing identity provider groups with Amazon Quick Suite.

In this scenario, your users initiate the sign-on process from the identity provider's portal. After the users are authenticated, they sign in to Amazon Quick Suite. After Quick Suite checks that they are authorized, your users can access Quick Suite.

Beginning with a user signing into the IdP, authentication flows through these steps:

  1. The user browses to https://applications.example.com and signs on to the IdP. At this point, the user isn't signed in to the service provider.

  2. The federation service and the IdP authenticate the user:

    1. The federation service requests authentication from the organization's identity store.

    2. The identity store authenticates the user and returns the authentication response to the federation service.

    3. When authentication is successful, the federation service posts the SAML assertion to the user’s browser.

  3. The user opens Amazon Quick Suite:

    1. The user's browser posts the SAML assertion to the Amazon Sign-In SAML endpoint (https://signin.aws.amazon.com/saml).

    2. Amazon Sign-In receives the SAML request, processes the request, authenticates the user, and forwards the authentication token to the Amazon Quick Suite service.

  4. Amazon Quick Suite accepts the authentication token from Amazon and presents Amazon Quick Suite to the user.

From the user's perspective, the process happens transparently. The user starts at your organization's internal portal and lands at an Amazon Quick Suite application portal, without ever having to supply any Amazon credentials.

In the following diagram, you can find an authentication flow between Amazon Quick Suite and a third-party identity provider (IdP). In this example, the administrator has set up a sign-in page to access Amazon Quick Suite, called applications.example.com. When a user signs in, the sign-in page posts a request to a federation service that complies with SAML 2.0. The end user initiates authentication from the sign-on page of the IdP.

Quick Suite SAML Diagram. The diagram contains two boxes. The first one describes an authentication process inside the enterprise. The second one describes authentication inside Amazon. The process is described in the text following the table.

For information from some common providers, see the following third-party documentation:

Use the following topics to understand using an existing federation with Amazon: