Amazon Web Services (SAML)

If you’re trying to configure the Amazon Web Services: SAML app, you’re in the right place.

Amazon Web Services (SAML) requirements for SSO

Before you configure the Amazon Web Services (AWS) web application for SSO, you need the following:

  • An active Amazon Web Services account with administrator rights for your organization.
  • A signed certificate. You can either download one from Admin Portal or use your organization’s trusted certificate.

Centrify Amazon Web Services CLI utilities

Centrify offers Python and PowerShell CLI utilities to access Amazon Web Services by leveraging Privileged Access Service. The AWS CLI utilities are available from the Downloads area of the Admin Portal.

Refer to The Centrify Developer Program for more information about how to install and use the AWS CLI utilities, such as AWS Powershell Utility V10.

AWS (SAML) Specifications

Each SAML application is different. The following table lists features and functionality specific to Amazon Web Services.



Support details

Web browser client



Mobile client


iOS and Android

SAML 2.0



SP-initiated SSO



IdP-initiated SSO



Force user login via SSO only


After SSO is enabled, users can continue to log in to Amazon Web Services with their local user name and password.

Separate administrator login
after SSO is enabled


After SSO is enabled, administrators can continue to log in to Amazon Web Services with their local user name and password.

User lockout



Administrator lockout



Multiple User Types


Refer to Amazon Web Services documentation for details.

Self-service password


Users can reset their own passwords. Note that administrators cannot reset a user’s password.

Access restriction using a corporate IP range


You can specify an IP Range in the Admin Portal Policy page to restrict access to the application.