The SDO service allows users secure, password-free access to the Amazon Web Services console, or any specific AWS feature you designate.  Users are able to log into the console by authorizing the connection through an app on their phone.  This article provides the steps needed to enabled the SDO service for AWS and configure the Identity Provider and Security Role in AWS that SDO will use for access.

Enabling SDO Authentication for Amazon Web Services


  1. In the Control Panel, click on My Services from the left-hand menu.

  2. Click on the Secret Double Octopus vendor band to expand it.
  3. Under the expanded vendor band, click on the Services tab.
  4. Click on the Edit button for Amazon Web Services.
  5. Select your domain from the Domain drop-down field.
  6. Click the Active Amazon Web Services (AWS) button.
  7. Click on the Service Metadata tab.
  8. Click the Open Metadata File button and save the metadata file to your computer.
  9. In a separate tab or browser, log into your AWS Console.

  10. In the AWS Console, click on the Services menu.
  11. Under the Security, Identity & Compliance group, click IAM.
  12. In the left-hand menu, click Identity Providers.
  13. Click the Create Provider button.
  14. In the Configure Provider page, choose SAML from the Provider Type drop-down menu.
  15. Enter a Provider Name, and then use the Choose File button to navigate to the metadata.xml file you downloaded in Part 8 of this guide.
  16. Click the Next Step button.

  17. In the Verify Provider Information screen, click the Create button.

  18. In the left-hand menu, click Roles.
  19. Click the Create Role button.
  20. Select SAML 2.0 federation for the type of trusted entity.
  21. Select the Identity Provider you just created from the SAML Provider drop-down menu.
  22. Select the Allow programmatic and AWS Management Console Access option.
  23. Click the Permissions button.
  24. On the permissions page, select the policy or policies you would like to have accessible via SDO access.
  25. Click the Tags button.

  26. Tags can be optionally added. Once tags have been added, or to skip adding Tags, click the Review button.
  27. The Review page will show a summary of the new role.  Click the Create role button to finish.
  28. Click the name of the Role you just created.  This will bring up the Role Summary page.  Copy the Role ARN listed in the summary information.  This will be entered in the Control Panel.
  29. Click Identity Providers from the left-hand menu, and then click the identity provider you just created.  This will bring up the Identity Provider Summary page.  Copy the Provider ARN listed in the summary information.  This will be entered in the Control Panel.
  30. Return to the Control Panel tab in your browser.

  31. Click on the Configuration tab.
  32. Enter the Role ARN you copied from step 28 and the Provider ARN you copied from step 29.
  33. Click the Save button.
  34. SDO has now been set up for Amazon Web Services for the listed domain.

Accessing the Amazon Web Services console with SDO Authentication


Users can now log into the Amazon Web Services console by opening the AWS Login URL for your account.  This URL can be found within the Control Panel, using the following steps:


  1. In the Control Panel, click on My Services in the left-hand menu.

  2. Click on the Secret Double Octopus vendor band to expand it.
  3. Under the expanded vendor band, click on the Services tab.
  4. Click on the Edit button for Amazon Web Services.
  5. Click on the Service Metadata tab.

  6. Locate the Login URL.  This URL is specific to your account.  All users who have been granted SDO access to AWS should use this URL to access the AWS Console.


Users can also view the AWS Login URL in their User Dashboard upon logging into the Control Panel.