Configure a Distributed Cloud AIP Organization with AWS SSO


This page contains information for legacy Threat Stack customers who log into Distributed Cloud AIP using If you log into Distributed Cloud AIP using F5 Distributed Cloud Services (F5XC), see User Management for information about configuring SSO in F5XC using Google, Azure, or Okta.

Single Sign-On (SSO) integrates a session token with a user authentication service. An SSO allows users to access multiple authorized applications without re-authenticating when switching between applications.

You can configure your F5 Distributed Cloud App Infrastructure Protection (AIP) organization with Amazon Web Services (AWS) SSO to simplify the login process and decrease the amount of time authentication takes.


You must sign in from your AWS SSO portal when configuring SSO, not from Distributed Cloud AIP.

To turn on AWS Organizations in your AWS account:

  1. Log into AWS and set up your AWS application according to these instructions.
  2. In the Configuration tab, do the following:
    1. Leave the Application start URL blank.
    2. Leave Relay state blank.
    3. In Application ACS URL, type or copy and paste: 
    4. In Application SAML audience, type or copy and paste:
  3. In the AWS SSO metadata section, click Download certificate. The metadata certificate downloads.
  4. Click the Attribute mappings tab. The application mapping page displays.
  5. Set User attribute in the application to Subject.
  6. Set Maps to this string value or user attribute in AWS SSO to ${user:email}.
  7. Set Format to emailAddress.
  8. Click the Save changes button.
  9. Click the Assigned users tab. The assigned users page displays.
  10. Add the users you want to configure with SSO.
  11. Click the Save changes button.

To configure SSO in your Distributed Cloud AIP organization:

  1. Log into Distributed Cloud AIP with your organization owner account.
  2. In the left navigation pane, click Settings, then Authentication.
  3. In the Identity Provider SAML 2.0 URL section, copy and paste the value from AWS SSO sign-in URL.
  4. In the Identity Provider Issuer URL section, copy and paste the value from AWS SSO issuer URL.
  5. In the Public Certificate file section, from your file browser, upload the certificate you downloaded from the AWS SSO metadata section in AWS.
Was this article helpful?
0 out of 0 found this helpful