Using an external identity provider to manager user access - Amazon Q Business

Using an external identity provider to manager user access

During Preview, Amazon Q Business offered two ways to configure end user access to an application:

  • Using IAM Identity Center as a gateway to manage Amazon Q application users.

  • Using an external identity provider directly for user access management.

When Amazon Q Business is generally available, starting April 30, 2024, all new applications will need to use IAM Identity Center as a gateway for managing user access. No new applications can be created using the legacy identity management flow. All existing Amazon Q applications will need to migrate to using IAM Identity Center for user management by July 31, 2024. We recommend you integrate any new application you're creating directly with IAM Identity Center.

For applications using legacy identity management, Amazon Q Business requires that you integrate your web experience with an identity provider (IdP) that's compliant with SAML 2.0. This integration is required so that only authorized end users from within your organization have access to your content. Amazon Q Business can work with any IdP that's compliant with SAML 2.0. Amazon Q uses service-initiated single sign-on (SSO) to authenticate users. IdP-initiated SSO is not supported.

This section is a guide to creating, configuring, and managing legacy identity management applications.