Centralize your team’s access to Unblocked by connecting it to AWS Identity Center.

Configure Single Sign-On

Follow the steps below to configure single sign-on for AWS Identity Center.
1

Go to the Unblocked SSO Settings

Navigate to the Settings section of the Unblocked web app. Under Team Settings, select Security. Locate the Single Sign-On section and click Configure.SSO Configuration
2

Create an AWS Identity Center application

From IAM Identity Center, navigate to the Applications tab, and click Add application.Add applicationUnder Setup preference, select I have an application I want to set up.Setup preferenceUnder Application type, select SAML 2.0.Application typeClick Next and enter Unblocked as the application name.Application name
3

Configure IAM Identity Center metadata

Copy the following information from the IAM Identity Center metadata section and paste it into Unblocked.
  • IAM Identity Center sign-in URL
  • IAM Identity Center SAML issuer URL
  • IAM Identity Center Certificate
Identity Center metadata
4

Application properties

Leave the Application properties section in AWS blank.
5

Configure Application metadata

Copy the following values from Unblocked into the Application metadata section in AWS identity center:
  • Application ACS URL
  • Application SAML audience
6

Configure attribute mappings

From the Actions menu, select Edit attribute mappings.Edit attribute mappingsThen enter the following mappings:
User attribute in UnblockedUser attribute in Identity CenterFormat
Subject${user.email}emailAddress
givenName${user.givenName}basic
familyName${user.familyName}basic
Enter attribute mappings
7

Assign Users

Assign users and groups to your AWS Identity Center application to grant them access to Unblocked.

Enforce SSO

Once SSO is configured, you can enforce its use for your team. This means all team members will be required to sign in using your SSO provider. There are two enforcement options:
  • SSO Only: Users will be required to sign in to Unblocked using SSO. You may need to sign in with SSO before enabling this option.
  • SSO, a Source Code System, or Slack: Users can sign in using either SSO, their source code system (e.g., GitHub, Bitbucket, or GitLab), or Slack.
SSO Enforcement Options

Allowed Email Domains

Verifying a domain ensures that users who enter an email address from that domain on the Unblocked sign-in page are automatically directed to your SSO login. This creates a seamless login experience and routes users through the correct authentication flow. You can add multiple domains to enable SSO login detection for users with different email addresses. To verify a domain:
1

Add Domain

Click Add Domain and enter the domain name you want to verify.
2

Verify Domain

Unblocked will prompt you to add a TXT record to your DNS settings to complete the verification.
Once the domain is verified, any user who enters an email address matching that domain on the Unblocked sign-in page will see the SSO login option for your SAML provider. Verifying a domain only controls the visibility of the SSO login option and does not automatically grant access to your Unblocked team. Access to Unblocked is still managed through user and group assignments in your identity provider (IdP). To help your users easily recognize Unblocked in their identity provider dashboard, download the Unblocked logo for use in your SSO application. Unblocked Logo