AWS Marketplace
Single sign-on for AWS Marketplace sellers using AWS IAM Identity Center
Note: On May 6, 2024 we made an update change to section Step 1: Enable IAM Identity Center
As an AWS Marketplace seller, the AWS Marketplace Management Portal (Management Portal) is the primary tool for selling products in AWS Marketplace. Sellers use the Management Portal to create and manage AWS Marketplace listings, issue Private offers, manage Vendor Insights, and access reporting and metrics on AWS Marketplace transactions. Signing in to the Management Portal requires the use of AWS IAM principals and roles, which are managed in the AWS Management Console separately from the AWS Marketplace Management Portal.
There are two ways to sign in to the Management Portal:
- Sellers can sign in to the AWS Management console using IAM user credentials and then navigate to the Management Portal.
- You can sign directly in to the Management Portal using AWS IAM Identity Center (formerly IAM Single Sign-On) using an IAM principal and role with the necessary permissions for the Management Portal.
Using AWS IAM Identity Center, you can set up a single sign-on experience, which helps reduce the complexity of a two-step sign-in process. It also efficiently limits the scope of access needed for accessing the AWS Marketplace Management Portal.
In this blog post, Ramya and I show how to configure AWS IAM Identity Center with an identity source using the IAM Identity Center directory. This redirects your sellers to the Management Portal with a single sign-on (SSO) experience.
About AWS IAM Identity Center
IAM Identity Center offers a convenient and secure way for workforce users to access AWS resources while also providing organizations with greater control and visibility into access management. It is the recommended approach for workforce authentication and authorization on AWS for organizations of any size and type. Using IAM Identity Center, companies can enable single sign-on to their AWS resources and applications, including the Management Portal. This will allow AWS Marketplace sellers to sign in to the Management Portal with a single set of credentials instead of having to sign in to multiple consoles.
Benefits of using IAM Identity Center
There are several benefits to using IAM Identity Center, including:
- Increased security: IAM Identity Center helps you to protect your AWS resources by enabling you to control who has access to them.
- Reduced complexity: IAM Identity Center makes it easy to manage your AWS users and groups.
- Improved compliance: IAM Identity Center helps you to comply with industry regulations by providing you with the tools you need to audit your access permissions.
Solution overview
To enable single sign-on for the Management Portal, you must create a group for AWS Marketplace sellers in your organization and assign permission sets to the corresponding users and group. A permission set is a template that you create and maintain that defines a collection of one or more IAM policies. IAM Identity Center uses permission sets to assign access to a user or group in one or more AWS accounts.
When a user signs into the Management Portal configured via IAM Identity Center, they choose an account and then choose the role created with the assigned permission set. IAM Identity Center then redirects the user’s browser to the AWS Management Console by default, requiring the user to proceed to the Management Portal manually. In this solution, the user is automatically redirected to the Management Portal by setting the relay state URL in the permission sets for the assumed role.
Prerequisites
Your AWS account must be managed by AWS Organizations. If you haven’t set up an organization, you don’t have to. When you enable IAM Identity Center, you will choose whether to have AWS create an organization for you. For more information about requirements, refer to the IAM Identity Center User Guide.
Solution walkthrough: Single sign-on for AWS Marketplace sellers using AWS IAM Identity Center
For admins: configure access in IAM Identity Center
A user with admin privileges must follow these steps.
Step 1: Enable IAM Identity Center
- Log into your AWS Management Console as user or role that has administrator access.
- Navigate to the IAM Identity Center console.
- Under Enable IAM Identity Center, choose Enable.
Step 2: Configure IAM Identity Center users and groups
- In the IAM Identity Center console, go to Groups and choose Create Group.
- Enter Group Name as AWS Marketplace SellerFullAccess and choose Create Group.
- Navigate to Users and choose Add user.
- Enter the Primary information for the user.
- Enter Username as Management-Portal-Admin-1.
- For Password, choose Send an email to this user with password setup instructions. The email address must be unique. When asked to confirm the email address, enter the same email address into the field.
- For First name, enter the Management Portal. You must enter a name here for automatic provisioning to work. For more information, see Automatic provisioning.
- For Last name, enter Admin-1. You must enter a name here for automatic provisioning to work.
- Choose Next.
- In the Add user to groups section, for the group, select AWS Marketplace SellerFullAccess. Choose Next.
- Review the user information and choose Add user.
Step 3: Configure permission set for AWSMarketplaceSellerFullAccess
- In the IAM Identity Center console, go to Permission sets and choose Create Permission set.
- For Permission set type, choose Custom permission set. Choose Next.
- Under AWS managed policies, search for AWSMarketplaceSellerFullAccess. Select the AWSMarketplaceSellerFullAccess policy and choose Next.
- For Permission set name, enter AMMP-Seller-Full-Access.
- Select session duration based on your preference.
- For Relay state, enter the AWS Marketplace Manager Portal URL: https://aws.amazon.com/marketplace/management/signin. Choose Next, then review the permission set details and choose Create.
Step 4: Configure multi-account permissions to users and groups
- In the IAM Identity Center console, go to Multi-account permissions and choose AWS accounts.
- From the list of accounts in your AWS Organizations, select the account you want to set up for SSO access.
- Choose Assign users or group.
- Under the Groups tab, select AWS Marketplace SellerFullAccess.
- Under the Users tab, select the user name you created earlier in Step 2. Choose Next.
- Select the the Management Portal-Seller-Full-Access permission set.
- Review the details and choose Submit.
For end users: accept the invitation
Each end user must follow these steps.
- Once your account is set up in IAM Identity Center, you will receive an email to accept the invitation and details of your AWS access portal URL and user name.
- From the email, choose Accept invitation. This will direct you to the new user signup, where you can set up your password.
- To see your AWS account, choose the AWS Account icon.
- Select your account name and choose the Management console link next to the Management Portal-Seller-Full-access. This link directs you to the AWS Marketplace Management portal.
Conclusion
In this blog post, Ramya and I showed you how to set up single sign-on access for AWS Marketplace sellers to access the AWS Marketplace Management portal. You can repeat this with additional roles, providing access tailored to your team’s needs in the Management Portal, for example, read-only, reports only.
About the authors
Mike Reed
Mike Reed has more than 20 years of security and identity experience and is the Worldwide Lead for Managed Security ISVs. Based in Austin, Texas, Mike guides AWS partners through building and selling their software and services offerings through AWS Marketplace.
..
.
Ramya Vijayaraghavan
Ramya Vijayaraghavan is an AWS Marketplace specialist Solution Architect based in Dallas. Ramya has over 10 years of industry experience in the field of databases and data analytics. Ramya helps customers with building secure cloud solutions using third-party products from AWS Marketplace.