Enabling Single Sign-On

MCommunity procedure

  1. Create/Identify an MCommunity group for access to your AWS account.


    • Select the Owners must add members setting.
    • The name cannot contain spaces. Use - or . instead.
  2. Populate group with appropriate members.

    Tip: Consider having separate groups by role.

  3. Add group to the master group.

    Tip: Often, it is the registered group appended with master.

AWS procedure

  1. Sign into the AWS IAM Console.
  2. Click Roles.
  3. Click Create New Role.
  4. Click Role for Identity Provider Access.
  5. Click Select next to Grant Web Single Sign-On (WebSSO) access to SAML providers.
  6. Change SAML provider to UM_PROD_SHIB.
  7. Click Next Step.
  8. Verify Role Trust and click Next Step.
  9. Select the most appropriate policy for the group’s use.

    Tip: Refer to the AWS IAM User Guide.

  10. Click Next Step.
  11. Enter the name of MCommunity group in the Role Name.
  12. Provide a description
  13. Click Next Step.


  • The first time you login you may be asked to verify your relationships to the University.
  • MCommunity group names are unique; consider prepending your group name in front of the role. For example, mCloudDevelopers, mCloudDBAs, mCloudContainers
  • Limit the policy to have the most restrictive permissions for the role.
  • The IAM sign-in link shortname will be used as the Account name. It is located at the IAM console.
Last Updated: 
Friday, October 6, 2017