Setting Up AWS IAM Identity Center SAML for Single Sign-On

Configure AWS IAM Identity Center as a SAML identity provider for PlaidCloud Single Sign-On

PlaidCloud supports Single Sign-On (SSO) via SAML 2.0. This guide walks through configuring AWS IAM Identity Center (formerly AWS SSO) as a SAML identity provider so your organization's users can authenticate through AWS when accessing PlaidCloud.

Note: The PlaidCloud-side configuration is handled by the PlaidCloud team. Your responsibility is to set up the custom SAML application in IAM Identity Center and provide PlaidCloud with your IAM Identity Center SAML Metadata URL. PlaidCloud support will complete the remaining configuration.

Prerequisites

An AWS account with IAM Identity Center enabled
An IAM user or role with the AWSSSOMasterAccountAdministrator managed policy or equivalent permissions
IAM Identity Center must be configured with an identity source (the built-in directory, Active Directory, or an external IdP)
Contact with PlaidCloud support to coordinate the setup and exchange configuration values

Overview

The setup process involves two parties exchanging SAML metadata:

You configure a custom SAML application in IAM Identity Center and provide PlaidCloud with your SAML Metadata URL.
PlaidCloud provides you with the Service Provider (SP) Entity ID and ACS URL (Assertion Consumer Service URL) needed to complete your application configuration.

Coordinate with PlaidCloud support to obtain the SP values before completing Step 3 below.

Step 1: Create a Custom SAML Application

Sign in to the AWS Management Console and navigate to IAM Identity Center.
In the left sidebar, select Applications.
Click Add application.
Select I have an application I want to set up and choose Custom SAML 2.0 application.
Click Next.
Enter a Display name for the application (e.g., PlaidCloud SSO) and optionally a description.

Step 2: Retrieve the IAM Identity Center SAML Metadata URL

Before configuring the service provider details, locate your IAM Identity Center metadata URL to send to PlaidCloud.

On the application configuration page, scroll to the IAM Identity Center metadata section.
Copy the IAM Identity Center SAML metadata URL (formatted as https://portal.sso.{region}.amazonaws.com/saml/metadata/{instanceId}).

Send this Metadata URL to PlaidCloud support. This is the Entity Descriptor URL that PlaidCloud needs to configure the trust relationship on the identity provider side. Once PlaidCloud receives this URL, the team will complete the Keycloak configuration and notify you when SSO is ready to test.

Step 3: Configure Service Provider Details

Note: You will need the SP Entity ID and ACS URL from PlaidCloud before completing this step. Contact PlaidCloud support to obtain these values.

Scroll to the Application properties section.
In the Application ACS URL field, enter the ACS URL provided by PlaidCloud.
In the Application SAML audience field, enter the SP Entity ID provided by PlaidCloud.
Click Submit.

Step 4: Configure Attribute Mappings

IAM Identity Center passes user attributes to PlaidCloud in the SAML assertion. Configure attribute mappings so PlaidCloud receives the necessary user details.

On the application detail page, select the Attribute mappings tab.
Click Add new attribute mapping and add the following:

User attribute in the application	Maps to this string value or user attribute in IAM Identity Center	Format
`Subject`	`${user:email}`	emailAddress
`email`	`${user:email}`	unspecified
`firstName`	`${user:givenName}`	unspecified
`lastName`	`${user:familyName}`	unspecified

Click Save changes.

Group Membership (Optional)

IAM Identity Center does not natively pass group membership as a SAML attribute in the same way as other providers. If your PlaidCloud configuration requires group-based security role assignments, discuss the available options with PlaidCloud support. Common approaches include using the built-in directory with group assignments or syncing groups from an external identity source such as Active Directory.

Note: Discuss with PlaidCloud support how group membership should be conveyed so that group-based security role assignments work correctly in PlaidCloud.

Step 5: Assign Users and Groups to the Application

Only users and groups assigned to the application will be able to authenticate through this SSO configuration.

On the application detail page, select the Assign users and groups tab.
Click Assign users and groups.
Search for and select the users or groups that should have SSO access to PlaidCloud.
Click Assign users.

Testing the Integration

After PlaidCloud confirms the configuration is complete:

Navigate to your organization's PlaidCloud Workspace (e.g., https://my-workspace.plaid.cloud).
You will be redirected to the AWS IAM Identity Center sign-in page.
Sign in with your AWS IAM Identity Center credentials.
Upon successful authentication, you will be redirected back to PlaidCloud.

If you encounter errors, verify that:

The ACS URL and SP Entity ID match exactly what PlaidCloud provided
The user attempting to log in is assigned to the application in IAM Identity Center
The Subject attribute is mapped to ${user:email} with the emailAddress format
The Metadata URL you sent to PlaidCloud is accessible from PlaidCloud's servers