SSO Implementation

We configure AWS IAM Identity Center (formerly AWS SSO) to federate your IdP (Okta, Azure AD, Google Workspace) with all AWS accounts. Permission sets map IdP groups to IAM roles across your AWS Organization. Engineers authenticate through the SSO portal and assume roles in specific accounts — no IAM users, no long-lived access keys, no shared credentials. Session duration is configured per permission set: 1 hour for production admin, 8 hours for developer access.

We configure Kubernetes API server to authenticate via OIDC from your identity provider. Users run kubectl with tokens from the IdP — no static kubeconfig credentials. RBAC ClusterRoles and RoleBindings map IdP groups to Kubernetes permissions. Token refresh is handled transparently by kubelogin or the OIDC plugin. Service accounts for CI/CD use short-lived tokens from the projected service account token volume. No long-lived Kubernetes credentials exist.

We integrate your IdP with all SaaS tools via SAML or OIDC: GitHub Enterprise, GitLab, Datadog, PagerDuty, Jira, Confluence, and your internal applications. SCIM provisioning automatically creates and removes accounts based on IdP group membership. Each integration includes: SSO configuration, group mapping, SCIM provisioning (where supported), and MFA policy enforcement. The result: one login, consistent access controls, and automated provisioning across all tools.

SSO creates a dependency on the identity provider. We implement break-glass procedures for IdP outages: emergency admin accounts stored in a physical safe or secure password manager with multi-party access, documented procedures for authenticating during SSO outage, and monitoring that detects IdP availability issues. Break-glass accounts are tested quarterly and their usage triggers alerts. The goal: SSO for daily operations, tested fallback for emergencies.