Tools Practical By Samson Tanimawo, PhD Published Mar 25, 2026 4 min read

AWS SAML CLI Tools (saml2aws, aws-sso)

SAML auth for AWS CLI.

saml2aws

AWS SAML CLI tools turn SAML federation into AWS CLI access. Engineers authenticate via SAML; the tool produces AWS credentials; the AWS CLI works without static credentials. The discipline is using these tools rather than long-lived IAM users.

What saml2aws provides:

Open-source CLI for SAML providers.: saml2aws supports Okta, OneLogin, ADFS, Ping, and many other SAML providers. The team's identity provider likely is supported; the integration is bounded effort.
Caches credentials.: saml2aws caches the produced credentials. Subsequent CLI commands use the cached credentials; re-authentication happens only when the credentials expire.
Works with most IdPs.: The broad provider support is the value. Teams switching identity providers can keep saml2aws; the tool is provider-agnostic.
MFA support.: SAML providers' MFA flows are supported. The CLI prompts for the MFA code; the discipline includes MFA without sacrificing CLI usability.
Multi-account.: saml2aws supports multiple AWS accounts. The team's accounts are configured; the engineer chooses which to authenticate to; the per-account credentials are tracked.

saml2aws is the open-source choice. The broad provider support makes it widely applicable.

aws-sso

For teams using AWS IAM Identity Center (formerly AWS SSO), the native CLI is tighter. The integration handles the AWS-specific flow; some operations are simpler.

AWS native solution for AWS SSO.: The aws-sso CLI handles AWS Identity Center integration. The team's SSO configuration is supported natively; the integration is tight.
Tighter integration if you use AWS SSO.: Teams using AWS Identity Center benefit from the native tooling. Specific AWS-SSO features (permission set management, account groupings) integrate cleanly.
aws sso login.: The base aws CLI now includes SSO login. aws sso login authenticates; the credentials are cached; subsequent commands use them.
aws sso logout.: Logging out clears the cached credentials. The discipline includes logging out at the end of work; the credentials do not persist beyond the session.
Profile-based.: The configuration uses AWS CLI profiles. Existing profile-based workflows continue to work; the SSO integration is transparent to the rest of the AWS CLI usage.

aws-sso is the AWS-native option. Teams using IAM Identity Center benefit from the native tooling.

Flow

The flow is similar across tools. Authenticate once; CLI commands work for hours; re-authenticate as needed.

Authenticate once.: The engineer runs the authentication command once. SAML or OIDC flow happens; credentials are produced; cached locally.
CLI commands work for hours.: The cached credentials are valid for the configured duration (typically 1-12 hours). The team's CLI commands work without re-auth during this window.
Re-auth as needed.: When the credentials expire, re-authentication is required. The engineer authenticates again; new credentials are cached; the flow continues.
Predictable session length.: The session length is configured. The engineer knows when re-auth is required; the team's discipline matches the workflow.
Multiple shells.: The cached credentials are accessible from multiple shells. The engineer's productivity is preserved across terminal windows; the cache is shared.

AWS SAML CLI tools is one of those engineering disciplines that pays off in better security and better usability. Nova AI Ops integrates with cloud identity events, surfaces patterns, and supports the team's identity-aware operations.