# AWS SSO

* [Enable AWS SSO](#enable-aws-sso)
* [Login via AWS SSO](#login-via-aws-sso)
* [Add Users to e6data via AWS SSO](#remove-users-from-e6data-via-aws-sso)
* [Remove Users from e6data via AWS SSO](#remove-users-from-e6data-via-aws-sso)
* [Disable AWS SSO](#disable-sso)

## Enable AWS SSO

1. Navigate to **Access Control > SSO** from the left side menu.
2. Click on **Add Identity Provider**
3. Provide a name for your Identity Provider
4. Select **AWS**&#x20;
5. Click **Next**&#x20;
6. Follow these steps to [add and configure a custom SAML 2.0 application](https://docs.aws.amazon.com/singlesignon/latest/userguide/samlapps.html) in AWS.
   1. In AWS, when asked for an **Application ACS URL**, copy & paste the **Application ACS URL** shown on the e6data SSO page.
   2. In AWS, when prompted for an **Application SAML audience**, copy & paste the **Application SAML audience** shown on the e6data SSO page.
   3. Match the user attributes in AWS to those shown on the e6data SSO page.
7. Click **Next**&#x20;
8. Under IdP Configuration, click **Choose File** & upload the **IAM Identity Center SAML metadata file** previously downloaded from AWS IAM Console in step 6.
9. Click **Save**
10. Users can now log in to e6data using AWS SSO.

## Login via AWS SSO

Users can log in by:&#x20;

* Clicking the **Single Sign-On (SSO)** button in the e6data platform.
* Using the [AWS access portal](https://docs.aws.amazon.com/en_us/singlesignon/latest/userguide/howtosignin.html)

SuperAdmin will be able to log in using both SSO and username/password authentication.

## Add Users to e6data via AWS SSO

Please follow [this guide from AWS to add users](https://docs.aws.amazon.com/singlesignon/latest/userguide/assignuserstoapp.html) to the custom SAML 2.0 application created during SSO setup.

Once a user is added they will be able to [log in via AWS SSO](#login-via-aws-sso).

By default, new users are assigned the Viewer role (least privilege). The SuperAdmin or AccessAdmin should change the user's role after the first login.

## Remove Users from e6data via AWS SSO

Please follow [this guide from AWS to remove user access](https://docs.aws.amazon.com/singlesignon/latest/userguide/removeaccessfromapp.html) to the custom SAML 2.0 application created during SSO setup.

## Disable SSO

1. Navigate to **Access Control > SSO** from the left side menu.
2. Toggle **Integrate SSO** to the disabled position.

*<mark style="color:blue;">**Important: When SSO is disabled, each user added using SSO will need to reset their password.**</mark>*