You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/saas-apps/aws-single-sign-on-provisioning-tutorial.md
+5-6Lines changed: 5 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -170,20 +170,19 @@ Once you've configured provisioning, use the following resources to monitor your
170
170
With PIM for Groups, you can provide just-in-time access to groups in Amazon Web Services and reduce the number of users that have permanent access to priviliged groups in AWS.
171
171
172
172
**Configure your enterprise application for SSO and provisioning**
173
-
1. Add AWS IAM Identity Center to your tenant and configure it for provisioning as described in the tutorial above.
173
+
1. Add AWS IAM Identity Center to your tenant, configure it for provisioning as described in the tutorial above, and start provisioning.
174
174
1. Configure [single sign-on](aws-single-sign-on-provisioning-tutorial.md) for AWS IAM Identity Center.
175
-
1. Create a [group](https://learn.microsoft.com/azure/active-directory/fundamentals/how-to-manage-groups) that will provide all users access to the application and assign the group to the application.
175
+
1. Create a [group](https://learn.microsoft.com/azure/active-directory/fundamentals/how-to-manage-groups) that will provide all users access to the application.
176
+
1. Assign the group to the AWS Identity Center application.
176
177
1. Assign your test user as a direct member of the group created in the previous step, or provide them access to the group through an access package. This group can be used for persistent, non-admin access in AWS.
177
-
1. Use on-demand provisioning to provision the group created in step 3 into your application. At this point the group does not have any active members so this will simply create the group object in AWS.
178
-
1. Sign-in to AWS and assign the group to the necessary role / permissions in AWS.
179
-
180
178
181
179
**Enable PIM for groups**
182
180
1. Create a second group in Azure AD. This group will provide access to admin permissions in AWS.
183
181
1. Bring the group under [management in Azure AD PIM](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/groups-discover-groups).
184
182
1. Assign your test user as [eligible for the group in PIM](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/groups-assign-member-owner) with the role set to member.
185
183
1. Assign the second group to the AWS IAM Identity Center application.
186
-
184
+
1. Use on-demand provisioning to create the group in AWS IAM Identity Center.
185
+
1. Sign-in to AWS IAM Identity Center and assign the second group the necessary permissions to perform admin tasks.
187
186
188
187
Now any end user that was made eligible for the group in PIM can get JIT access to the group in AWS by [activating their group membership](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/groups-activate-roles#activate-a-role).
0 commit comments