Initiating sign-on from Quick Suite - Amazon Quick Suite
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Initiating sign-on from Quick Suite

 Applies to: Enterprise Edition 
   Intended audience: System administrators 
Note

IAM identity federation doesn't support syncing identity provider groups with Amazon Quick Suite.

In this scenario, your user initiates the sign-on process from an Amazon Quick Suite application portal without being signed on to the identity provider. In this case, the user has a federated account managed by a third-party IdP. The user might have a user account on Quick Suite. Quick Suite sends an authentication request to the IdP. After the user is authenticated, Quick Suite opens.

Beginning with the user signing into Quick Suite, authentication flows through these steps:

  1. The user opens Quick Suite. At this point, the user isn't signed in to the IdP.

  2. The user attempts to sign in to Amazon Quick Suite.

  3. Amazon Quick Suite redirects the user's input to the federation service and requests authentication.

  4. The federation service and the IdP authenticate the user:

    1. The federation service requests authentication from the organization's identity store.

    2. The identity store authenticates the user and returns the authentication response to the federation service.

    3. When authentication is successful, the federation service posts the SAML assertion to the user's browser.

    4. The user's browser posts the SAML assertion to the Amazon Sign-In SAML endpoint (https://signin.aws.amazon.com/saml).

    5. Amazon Sign-In receives the SAML request, processes the request, authenticates the user, and forwards the authentication token to the Amazon Quick Suite service.

  5. Amazon Quick Suite accepts the authentication token from Amazon and presents Amazon Quick Suite to the user.

From the user's perspective, the process happens transparently. The user starts at an Amazon Quick Suite application portal. Amazon Quick Suite negotiates authentication with your organization's federation service and Amazon. Amazon Quick Suite opens, without the user needing to supply any additional credentials.