Set up single sign-on access to your applications - AWS IAM Identity Center

Set up single sign-on access to your applications

IAM Identity Center supports two application types: AWS managed applications and customer managed applications.

AWS managed applications are configured directly from within the relevant application consoles or through the application APIs.

Customer managed applications must be added to the IAM Identity Center console and configured with the appropriate metadata for both IAM Identity Center and the service provider. You can choose from a catalog of commonly used applications that support SAML 2.0, or you can set up your own SAML 2.0 applications or OAuth 2.0 applications.

The configuration steps for setting up single sign-on access to applications vary based on the application type.

AWS managed applications such as Amazon Managed Grafana and Amazon Monitron integrate with IAM Identity Center and can use it for authentication and directory services. To set up an AWS managed application to work with IAM Identity Center, you must configure the application directly from the console for the applicable service, or you must use the application APIs.

You can select a SAML 2.0 application from a catalog of commonly used applications in the IAM Identity Center console. Use this procedure to set up a SAML 2.0 trust relationship between IAM Identity Center and your application's service provider.

To set up an application from the application catalog

  1. Open the IAM Identity Center console.

  2. Choose Applications.

  3. Choose the Customer managed tab.

  4. Choose Add application.

  5. On the Select application type page, under Setup preference, choose I want to select an application from the catalog.

  6. Under Application catalog, start typing the name of the application that you want to add in the search box.

  7. Choose the name of the application from the list when it appears in the search results, and then choose Next.

  8. On the Configure application page, the Display name and Description fields are prepopulated with relevant details for the application. You can edit this information.

  9. Under IAM Identity Center metadata, do the following:

    1. Under IAM Identity Center SAML metadata file, choose Download to download the identity provider metadata.

    2. Under IAM Identity Center certificate, choose Download certificate to download the identity provider certificate.

    Note

    You will need these files later when you set up the application from the service provider's website. Follow the instructions from that provider.

  10. (Optional) Under Application properties, you can specify the Application start URL, Relay state, and Session duration. For more information, see Configure application properties in the IAM Identity Center console.

  11. Under Application metadata, do one of the following:

    1. If you have a metadata file, choose Upload application SAML metadata file. Then, select Choose file to find and select the metadata file.

    2. If you don't have a metadata file, choose Manually type your metadata values, and then provide the Application ACS URL and Application SAML audience values.

  12. Choose Submit. You're taken to the details page of the application that you just added.

Use this procedure to set up your own SAML 2.0 trust relationship between IAM Identity Center and your own SAML 2.0 application's service provider. Before you begin this procedure, make sure that you have the service provider's certificate and metadata exchange files so that you can finish setting up the trust.

To set up your own SAML 2.0 application

  1. Open the IAM Identity Center console.

  2. Choose Applications.

  3. Choose the Customer managed tab.

  4. Choose Add application.

  5. On the Select application type page, under Setup preference, choose I have an application I want to set up.

  6. Under Application type, choose SAML 2.0.

  7. Choose Next.

  8. On the Configure application page, under Configure application, enter a Display name for the application, such as MyApp. Then, enter a Description.

  9. Under IAM Identity Center metadata, do the following:

    1. Under IAM Identity Center SAML metadata file, choose Download to download the identity provider metadata.

    2. Under IAM Identity Center certificate, choose Download to download the identity provider certificate.

    Note

    You will need these files later when you set up the custom application from the service provider's website.

  10. (Optional) Under Application properties, you can also specify the Application start URL, Relay state, and Session duration. For more information, see Configure application properties in the IAM Identity Center console.

  11. Under Application metadata, choose Manually type your metadata values. Then, provide the Application ACS URL and Application SAML audience values.

  12. Choose Submit. You're taken to the details page of the application that you just added.

After you have set up your applications, your users can access your applications from within their AWS access portal based on the permissions that you assigned.

If you have customer managed applications that support OAuth 2.0 and your users need access from these applications to AWS services, you can use trusted identity propagation. With trusted identity propagation, a user can sign in to an application, and that application can pass the users’ identity in requests to access data in AWS services. For more information, see Using trusted identity propagation with customer managed applications.

For more information about supported application types, see Manage access to applications.