AWS SSO Setup¶
Project: arlyn-docs (ArlynLabs/arlyn-docs)
Date: May 2026
This page describes how Arlyn connects JumpCloud (IdP) to AWS using SAML 2.0 federation. Users authenticate via JumpCloud and are granted AWS console access based on their group membership, with permissions determined by the IAM role they are mapped to.
This integration uses IAM Identity Providers (not IAM Identity Center), which is the correct path for JumpCloud's built-in AWS SSO connector.
Architecture¶
| Component | Description |
|---|---|
| JumpCloud Application | AWS SSO app created from the JumpCloud AWS template. Holds the SAML configuration and attribute mappings. |
| JumpCloud Groups | Control which users get the AWS tile and which SAML attributes (role mappings) they receive. |
| AWS IAM Identity Provider | SAML provider registered in AWS IAM using JumpCloud's metadata XML. Establishes trust between AWS and JumpCloud. |
| AWS IAM Roles | Roles with SAML trust policies. Define what permissions federated users receive. Each role maps to a JumpCloud application/group. |
Setup Sequence¶
Complete these steps in order — each depends on the previous.
1. Create the AWS SSO Application in JumpCloud
Use the AWS template from the JumpCloud SSO application catalog.
2. Create JumpCloud Groups
Create one group per AWS role. Add the relevant members to each group.
3. Download the JumpCloud SAML Metadata XML
From the SSO tab of the JumpCloud AWS application.
4. Create the IAM Identity Provider in AWS
Go to IAM → Identity Providers → Add provider. Select SAML, upload the metadata XML. Copy the IDP ARN once created.
5. Create AWS IAM Roles
Go to IAM → Roles → Create role. Select SAML 2.0 federation, choose the JumpCloud IDP, allow programmatic and console access. Attach the appropriate permission policy.
6. Configure SAML Attribute Mapping in JumpCloud
In the JumpCloud AWS application SSO tab, add the role attribute(s) and assign groups.
SAML Attribute Mapping¶
Two SAML attributes are configured in the JumpCloud AWS application:
| Attribute Name | Value |
|---|---|
https://aws.amazon.com/SAML/Attributes/Role |
arn:aws:iam::<account-id>:role/<RoleName>,arn:aws:iam::<account-id>:saml-provider/JumpCloud |
https://aws.amazon.com/SAML/Attributes/SessionDuration |
21600 (6 hours) |
The Role attribute value is a comma-separated pair: the IAM Role ARN followed by the IDP ARN. There must be no spaces.
Assigning Multiple Roles¶
Different user groups → different roles: use separate applications¶
SAML attribute mappings in a JumpCloud application apply to all users assigned to that application. There is no way within a single application to send Role A only to Group X and Role B only to Group Y.
If different sets of users need different AWS roles, create a separate JumpCloud AWS application for each role:
| JumpCloud Application | Assigned Group | Role Attribute Value |
|---|---|---|
| AWS — Arlyn Admin | Arlyn Admins | arn:aws:iam::...role/Arlyn-Admin,...saml-provider/JumpCloud |
| AWS — Billing Admin | Arlyn Billing | arn:aws:iam::...role/Billing-Admin,...saml-provider/JumpCloud |
Each application generates its own AWS tile in the JumpCloud user portal. Users only see the tile(s) for applications their group is assigned to.
Single user needing multiple roles: duplicate the attribute¶
If a single user legitimately needs access to more than one AWS role (e.g. an IAM admin who also needs billing access), add a second entry for the same attribute name within the same application. The attribute name is duplicated — only the value changes:
| Attribute Name | Value |
|---|---|
https://aws.amazon.com/SAML/Attributes/Role |
arn:aws:iam::123456789012:role/Arlyn-Admin,arn:aws:iam::123456789012:saml-provider/JumpCloud |
https://aws.amazon.com/SAML/Attributes/Role |
arn:aws:iam::123456789012:role/Billing-Admin,arn:aws:iam::123456789012:saml-provider/JumpCloud |
When AWS receives more than one role in the SAML assertion, it presents a role selection screen at sign-in. The user picks which role to assume for that session.
Troubleshooting¶
| Error | Likely Cause |
|---|---|
| AWS tile not visible in JumpCloud portal | The user's group has not been assigned to the AWS application in JumpCloud. |
Not authorized to perform sts:AssumeRoleWithSAML |
Role ARN or IDP ARN in the SAML attribute is incorrect, contains a space, or the IAM role trust policy does not include sts:AssumeRoleWithSAML. |
| No roles available | The SAML attribute value is malformed. Verify the comma-separated ARN pair character-for-character. |
| Redirect or ACS error | ACS URL or Entity ID mismatch. Verify these match the values AWS expects (the JumpCloud template pre-populates these correctly). |