AWS Cloud Operations Blog
Sign-in to AWS Console Mobile Application with an AWS Access Portal or third-party IdP URL
AWS customers rely on the AWS Console Mobile Application to monitor, manage, and receive notifications to stay informed about their AWS resources while away from their desktop devices. Customers who use Single-Sign-On (SSO) can face a unique set of challenges while signing into the AWS Console Mobile Application. While SSO can offer enhanced security and convenience benefits, integration with mobile applications can introduce complexities that impede customers and negatively affect the user experience. On Aug 26, 2024, AWS announced a new streamlined federated and SSO sign in process for the AWS Console Mobile App.
Solution overview
In this blog post, you’ll learn how to sign in to the AWS Console Mobile Application using AWS IAM Identity Center, federation, or a third-party Identity Provider (IdP) like Okta, Google Workspace, or JumpCloud. We’ll walk through how SSO works on the AWS Console Mobile Application, and the process of signing in using your SSO sign in URL for the first time. If you are an Administrator and want to learn about how to set up an organization instance of IAM Identity Center with a commonly used identity source, several helpful tutorials are available on the AWS IAM Identity Center User Guide.
Key benefits
SSO on the AWS Console Mobile Application streamlines access to your AWS resources on your mobile device using the same centralized authentication that your organization uses for web-based access to your AWS resources. The key features of SSO on the AWS Console Mobile Application include; 1) centralized access, 2) secure authentication, and 3) consistency.
- Centralized access – When you access AWS Console Mobile Application using SSO, you can use a single set of credentials to securely access multiple AWS accounts and roles with increased convenience.
- Secure authentication – The use of organizational credentials and optional Multi-Factor Authentication (MFA) ensures that access is secure, whether you are accessing your AWS resources on your desktop or mobile device. If you are an Administrator and want to learn about how to set up MFA in Identity Center, you can find more information in the AWS IAM Identity Center User Guide.
- Consistency – The AWS Console Mobile Application’s SSO sign in flow is designed to mirror the web-based experience, making the process of switching between accounts and roles on your mobile device familiar and easy.
Prerequisites
You will need the following:
- An AWS account with the appropriate permissions for the AWS services you want to access from the Console Mobile Application.
- A mobile device with the AWS Console Mobile Application (available on iOS and Android) installed and set up.
- A valid AWS Identity user account, or third-party identity provider workforce user account.
- An AWS access portal, federated, or third-party identity provider URL. You’ll typically receive a sign in URL from your administrator. This URL is usually what you use to sign in to AWS.
Note: If your organization uses IAM Identity Center, when an administrator creates a user in IAM Identity Center on your behalf an email invitation to join IAM Identity Center containing a one-time password and AWS access portal URL is typically sent to you. If your organization uses federation or third-party identity provider like Windows Active Directory, Okta, or Salesforce Identity, contact your administrator to get your sign in URL.
How SSO works on the AWS Console Mobile Application
SSO on the AWS Console Mobile Application allows you to authenticate using your organizational credentials from AWS IAM Identity Center, federation, or a third-party Identity Provider (IdP) rather than creating separate credentials specific to AWS. This type of authentication works allowing you to specify a custom sign in URL from your identity provider as part of the first time sign in experience for the AWS Console Mobile Application.
Once you’ve provided the sign in URL the AWS Console Mobile Application redirects you to the sign in page of that provider (this page is hosted by the provider). You then enter your credentials (e.g. username and password) on the identity provider’s page and authentication is handled by the identity provider. If MFA is required, it is also enforced by the identity provider.
Once successfully authenticated, the identity provider issues an authentication token to the AWS Console Mobile Application. This token contains information about your user ID, role, and permissions. The token is then validated by AWS to ensure it grants the necessary access for the AWS Console Mobile Application to access AWS services on your behalf. If the token is valid and you have the necessary permissions, the AWS Console Mobile Application allows you to monitor and manage your AWS resources.
Sign in to AWS Console Mobile Application with AWS access portal
Step 1: Open the AWS Console Mobile Application and tap the Use a sign in URL button on the Sign in screen as shown in figure 1.
Step 2: In the Sign in URL field, type or paste in the sign-in URL that you were provided through email (e.g. https://your_domain.awsapps.com/start) as shown in figure 2.
Step 3: Sign in using your organizational credentials (e.g. a username and password) as shown in figures 3 and 4.
Step 4: If you are asked for a verification code, check your email for it. Then type or paste the code in the sign-in screen.
Step 5: If MFA is enabled. follow on screen instructions to provide additional authentication information.
Step 6: Once authenticated, select an AWS account and role to assume as shown in figure 5.
Step 7: Once authenticated, you’ll be directed to the AWS Console Mobile Application home screen (as shown in figure 7) where you can monitor and manage the AWS resources associated with the account and role you selected.
Sign in to AWS Console Mobile Application using federation or third-party identity provider
Step 1: Open the AWS Console Mobile Application and tap the Use a sign in URL button on the Sign in screen as shown in figure 8.
Step 2: In the Sign in URL field, type or paste in the sign-in URL that you received from your administrator (e.g. https://your_domain.okta.com) as shown in figure 9.
Step 3: Sign in using your organizational credentials (e.g. a username and password) as shown in figure 10.
Step 4: If MFA is enabled follow on screen instructions to provide additional authentication information as shown in figure 11.
Step 5: Once authenticated, select an AWS account and role as shown in figures 12 and 13.
Step 6: Access your resources. Once authenticated, you’ll be directed to the AWS Console Mobile Application home screen (as shown in figure 14) where you can monitor and manage the AWS resources associated with the account and role you selected.
Conclusion
AWS customers using SSO to sign in to an AWS account can use their sign in URL to securely authenticate with the AWS Console Mobile Application. The AWS Console Mobile Application lets customers monitor, manage, and receive notifications to stay informed about their AWS resources while on-the-go. Visit the product page for more information and download the AWS Console Mobile Application today.