Skip to main content

User Authentication Workflow

When users authenticate to Stax via the Console or stax2aws, a similar flow occurs regardless of whether Single Sign-On is configured or not.

For general information, see About Identity and Access.

Console Authentication

Stax_user_authentication_flow_-_Console.png

When logging in to Stax or a Stax-managed AWS account via the Stax Console at the appropriate URL for a given Stax Installation Region, visitors are first prompted to enter an organization alias. After submitting and having the organization alias validated, they are redirected to the Stax Identity Service in the tenancy's security account.

If SSO is configured, a Continue with Corporate IDbutton is visible alongside the username and password credential boxes. If the visitor chooses to use their Corporate ID (Single Sign-On credential) to authenticate, they're taken to the corporate IdP which validates their identity before asserting an identity back to the Stax Identity Service.

If SSO is not configured, or the user chooses to use a credential which is stored within the Stax Identity Service, they're prompted to enter a username and password, and optionally to complete Multi-Factor Authentication.

Once the visitor's identity has been validated, they're authenticated by the Stax Identity Service and redirected to the Stax Console.

Command Line Authentication with stax2aws

Stax_user_authentication_flow_-_stax2aws.png

When logging in to a Stax-managed AWS account using stax2aws at the command line, visitors must provide at least the Stax Installation Region and organization alias for the desired Stax tenancy.

After validating the Stax Installation Region and organization alias are valid, stax2aws will return a URL. Visiting this URL will allow the visitor to authenticate.

If SSO is configured, a Continue with Corporate IDbutton is visible alongside the username and password credential boxes. If the visitor chooses to use their Corporate ID (Single Sign-On credential) to authenticate, they're taken to the corporate IdP which validates their identity before asserting an identity back to the Stax Identity Service.

If SSO is not configured, or the user chooses to use a credential which is stored within the Stax Identity Service, they're prompted to enter a username and password, and optionally to complete Multi-Factor Authentication.

Once the visitor's identity has been validated, they're authenticated by the Stax Identity Service and stax2aws will update momentarily, returning valid short-term AWS IAM credentials.