Integrate with Amazon Business
Support level: Community
What is Amazon Business?
Amazon Business is Amazon's procurement platform for organizations, providing managed purchasing, approval workflows, and analytics across Amazon's marketplace.
Preparation
The following placeholders are used in this guide:
authentik.companyis the FQDN of the authentik installation.
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
Download the Amazon Business metadata file
Download the SAML metadata file from Amazon Business before creating the authentik provider.
- Log in to the Amazon Business admin console as an administrator and click Business Settings under Hello, "Your Name".
- Under System integrations, select Single Sign-On (SSO).
- In the Amazon Business SSO setup workflow, select Other as the identity provider and provide a descriptive name for the identity provider, such as
authentik. - Select the default group and default buying role for users that Amazon Business creates through Just-In-Time (JIT) provisioning.
- Download the
Amazon_SP_Metadata.xmlfile from the Amazon connection data page. You will upload this file to authentik in the next section.
authentik configuration
To support the integration of Amazon Business with authentik, you need to create an application/provider pair in authentik.
authentik 2026.5 introduces changes to how the SAML provider behaves. Specifically, the provider now automatically sets the Issuer value to: https://authentik.company/application/saml/<application_slug>/metadata/
Older versions of authentik set this value to authentik by default. If you're running an older version, please set Issuer to https://authentik.company/application/saml/<application_slug>/metadata/, where <application_slug> is the slug that you selected for the application.
Create an application and provider
-
Log in to authentik as an administrator and open the authentik Admin interface.
-
Navigate to Applications > Applications and click New Application to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Note the application Slug because it is used in authentik's SAML issuer URL.
- Choose a Provider type: select SAML Provider from Metadata as the provider type.
- Configure the Provider: provide a name, select the authorization and invalidation flows to use for this provider, and upload the
Amazon_SP_Metadata.xmlfile as Metadata. - Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's Application Dashboard page.
-
Click Submit to save the new application and provider.
-
Navigate to Applications > Providers and click the Edit icon of the newly created Amazon Business provider.
-
Under Advanced protocol settings, configure the following settings:
- Set an available Signing Certificate.
- Toggle on Sign responses.
- Under Property mappings, remove every entry from Selected User Property Mappings except
authentik default SAML Mapping: Nameandauthentik default SAML Mapping: Email. - Set NameID Property Mapping to
authentik default SAML Mapping: Email.
-
Click Update.
Download the authentik metadata file
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to Applications > Providers and click the newly created Amazon Business provider.
- Under Related objects > Metadata, click Download. This metadata file will be required in the next section.
Amazon Business configuration
Return to the Amazon Business SSO setup workflow to complete the configuration.
- Set Encrypted SAML assertions to Off.
- In Connection data, upload the authentik metadata file that you downloaded.
- If Amazon Business prompts for an attribute statement file, skip the upload and configure the attributes manually.
- In Attribute mapping, map the following Amazon Business fields to authentik's SAML attribute names:
- Email address:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress - Full Name:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name - Unique identifier:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- Email address:
- Confirm that Amazon Business metadata has been configured in authentik.
- Click Start testing. A new window opens where you can test SSO with a user that has access to the Amazon Business application in authentik.
- After a successful test, click Activate, confirm that testing is complete, and switch SSO to active.
Configuration verification
To confirm that authentik is properly configured with Amazon Business, open Amazon Business and sign in with an email address that belongs to the SSO-enabled account. You should be redirected to authentik to log in, and then redirected back to Amazon Business.