Step by Step – Protect AWS Single-Sign-On Portal and AWS CLI with PhenixID Authentication Services


This document will guide you through the steps to enable multi-factor authentication with PhenixID Authentication Services for the AWS Single-Sign-On Portal (AWS SSO) using SAML2. The configuration also enables MFA, using PhenixID Authentication Services, for AWS command line interface (AWS CLI) login.

This will enable usage of federated logins.

System Requirements

  • PhenixID Authentication Server 3.0 or higher
  • AWS SSO instance administration rights



This document will guide you through the steps to enable multi-factor authentication for AWS SSO.

Configure PhenixID Authentication Services as Identity Provider

  1. Login to Configuration Manager.
  2. Setup PhenixID Authentication Services as a SAML IdP using one of the Federation scenarios described here. (If the desired authentication method is not provided by a scenario, use the documentation for the SAML authenticator here)
  3. Set Post SLO URL = https://YOUR_PHENIXID_IDP_DOMAIN/saml/authenticate/logout/
  4. Save the changes.
  5. Click IDENTITY PROVIDER->View SAML Metadata.
  6. Save the Metadata as a xml-file

Configure AWS SSO

  1. Follow this guide to add external identity provider to AWS SSO.
    1. Upload the identity provider metadata provided in previous step.

Add trust to AWS SSO on PhenixID Authentication Services

  1. Login to configuration manager
  2. Open Scenarios->Federation->SAML Metadata upload
  3. Click the plus sign
  4. Upload the AWS SSO Service Provider metadata from previous step.
  5. Save the changes.

Configure PAS assertion

  1. Login to Configuration Manager.
  2. Locate the Scenario-Federation setup earlier for AWS.
  4. Add information to  “AssertionProvider”:
    1. Set NameID attribute = mail
    2. Add fields to MISCELLANOUS
      1. signAssertion = true
      2. signMessage = false
      3. nameIdFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

  5. Save the changes


Web browser

    1. Browse to the start URL of your AWS SSO instance. For example
    2. Your browser should be redirect to PhenixID Authentication Services
    3. Authenticate
    4. You should now be redirected to AWS SSO and be logged in


Follow this instruction.

Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID -