# AWS SSO

* [Enable AWS SSO](#enable-aws-sso)
* [Login via AWS SSO](#login-via-aws-sso)
* [Add Users to e6data via AWS SSO](#remove-users-from-e6data-via-aws-sso)
* [Remove Users from e6data via AWS SSO](#remove-users-from-e6data-via-aws-sso)
* [Disable AWS SSO](#disable-sso)

## Enable AWS SSO

1. Navigate to **Access Control > SSO** from the left side menu.
2. Click on **Add Identity Provider**
3. Provide a name for your Identity Provider
4. Select **AWS**&#x20;
5. Click **Next**&#x20;
6. Follow these steps to [add and configure a custom SAML 2.0 application](https://docs.aws.amazon.com/singlesignon/latest/userguide/samlapps.html) in AWS.
   1. In AWS, when asked for an **Application ACS URL**, copy & paste the **Application ACS URL** shown on the e6data SSO page.
   2. In AWS, when prompted for an **Application SAML audience**, copy & paste the **Application SAML audience** shown on the e6data SSO page.
   3. Match the user attributes in AWS to those shown on the e6data SSO page.
7. Click **Next**&#x20;
8. Under IdP Configuration, click **Choose File** & upload the **IAM Identity Center SAML metadata file** previously downloaded from AWS IAM Console in step 6.
9. Click **Save**
10. Users can now log in to e6data using AWS SSO.

## Login via AWS SSO

Users can log in by:&#x20;

* Clicking the **Single Sign-On (SSO)** button in the e6data platform.
* Using the [AWS access portal](https://docs.aws.amazon.com/en_us/singlesignon/latest/userguide/howtosignin.html)

SuperAdmin will be able to log in using both SSO and username/password authentication.

## Add Users to e6data via AWS SSO

Please follow [this guide from AWS to add users](https://docs.aws.amazon.com/singlesignon/latest/userguide/assignuserstoapp.html) to the custom SAML 2.0 application created during SSO setup.

Once a user is added they will be able to [log in via AWS SSO](#login-via-aws-sso).

By default, new users are assigned the Viewer role (least privilege). The SuperAdmin or AccessAdmin should change the user's role after the first login.

## Remove Users from e6data via AWS SSO

Please follow [this guide from AWS to remove user access](https://docs.aws.amazon.com/singlesignon/latest/userguide/removeaccessfromapp.html) to the custom SAML 2.0 application created during SSO setup.

## Disable SSO

1. Navigate to **Access Control > SSO** from the left side menu.
2. Toggle **Integrate SSO** to the disabled position.

*<mark style="color:blue;">**Important: When SSO is disabled, each user added using SSO will need to reset their password.**</mark>*


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.e6data.com/product-documentation/access-control/single-sign-on-sso/aws-sso.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.