Sign-in to the AWS Console Mobile Application via an AWS Access Portal or Third-Party IdP URL

More Info

AWS users depend on the AWS Console Mobile Application to oversee, manage, and receive alerts regarding their AWS resources while away from their desktops. However, those utilizing Single Sign-On (SSO) may encounter distinct challenges when trying to access the AWS Console Mobile Application. While SSO provides improved security and convenience, integrating it with mobile apps can create complexities that hinder users and detract from their experience. On August 26, 2024, AWS introduced a new simplified federated and SSO sign-in process for the AWS Console Mobile App.

Solution Overview

In this article, you will discover how to log into the AWS Console Mobile Application using AWS IAM Identity Center, federation, or a third-party Identity Provider (IdP) such as Okta, Google Workspace, or JumpCloud. We will explain how SSO functions within the AWS Console Mobile Application and guide you through the initial sign-in process using your SSO URL. If you are an Administrator seeking to set up an organization instance of IAM Identity Center with a popular identity source, you can find several helpful tutorials in the AWS IAM Identity Center User Guide.

Key Benefits

Implementing SSO within the AWS Console Mobile Application simplifies access to your AWS resources on your mobile device, utilizing the same centralized authentication your organization employs for web-based AWS access. The principal features of SSO on the AWS Console Mobile Application include:

1. Centralized Access: Accessing the AWS Console Mobile Application via SSO allows you to use one set of credentials to securely reach multiple AWS accounts and roles, enhancing convenience.
2. Secure Authentication: Your organizational credentials, along with optional Multi-Factor Authentication (MFA), ensure secure access whether you are using a desktop or mobile device. For Administrators interested in setting up MFA in Identity Center, further information can be found in the AWS IAM Identity Center User Guide.
3. Consistency: The SSO sign-in flow for the AWS Console Mobile Application is designed to align with the web-based experience, making account and role switching on your mobile device straightforward and familiar.

Prerequisites

To proceed, you will require:

• An AWS account with the necessary permissions for the AWS services you wish to access through the Console Mobile Application.
• A mobile device with the AWS Console Mobile Application (available on iOS and Android) installed and configured.
• A valid AWS Identity user account or third-party identity provider workforce user account.
• An AWS access portal, federated, or third-party identity provider URL, typically supplied by your administrator.

Note: If your organization utilizes IAM Identity Center, an email invitation containing a one-time password and an AWS access portal URL is usually sent when an administrator creates a user on your behalf. For organizations employing federation or third-party IdPs, such as Windows Active Directory, Okta, or Salesforce Identity, please reach out to your administrator for your sign-in URL.

How SSO Works on the AWS Console Mobile Application

SSO on the AWS Console Mobile Application enables authentication through your organizational credentials from AWS IAM Identity Center, federation, or a third-party Identity Provider (IdP), eliminating the need for separate AWS-specific credentials. This authentication method allows you to use a custom sign-in URL from your identity provider during your first sign-in to the AWS Console Mobile Application.

After entering the sign-in URL, the AWS Console Mobile Application redirects you to that provider’s sign-in page, where you will input your credentials (username and password). Your identity provider manages the authentication process, including any required MFA.

Once authenticated, the identity provider issues an authentication token to the AWS Console Mobile Application, containing details about your user ID, role, and permissions. AWS validates this token to ensure it grants the required access for the application to manage your AWS services. If the token is valid and you possess the necessary permissions, you can monitor and manage your AWS resources effectively.

Sign in to AWS Console Mobile Application with AWS Access Portal

1. Open the AWS Console Mobile Application and select the “Use a sign in URL” button on the Sign-in screen.
2. In the Sign in URL field, enter or paste the URL you received via email (e.g., https://your_domain.awsapps.com/start).
3. Sign in using your organizational credentials (username and password).
4. If prompted for a verification code, check your email for it and enter it in the sign-in screen.
5. If MFA is required, follow the on-screen instructions to provide the necessary information.
6. After successful authentication, choose an AWS account and role to assume.
7. You will then be directed to the AWS Console Mobile Application home screen, where you can manage the selected AWS resources.

Sign in to AWS Console Mobile Application via Federation or Third-Party Identity Provider

1. Open the AWS Console Mobile Application and tap the “Use a sign in URL” button on the Sign-in screen.
2. Enter or paste the sign-in URL provided by your administrator (e.g., https://your_domain.okta.com).
3. Sign in using your organizational credentials (username and password).
4. If MFA is enabled, follow the on-screen instructions to complete the additional authentication steps.
5. Upon successful authentication, select your desired AWS account and role.

For further insights, you can explore another blog post that delves into related topics here. For authoritative advice on SSO setup, check out this resource. Additionally, for a comprehensive understanding of your first day at AWS, this Reddit link serves as an excellent resource.

Amazon IXD – VGT2 is located at 6401 E Howdy Wells Ave, Las Vegas, NV 89115.