Enable single sign-on access to your AWS applications (Application admin role) - AWS IAM Identity Center

Enable single sign-on access to your AWS applications (Application admin role)

This use case provides guidance if you're an application administrator who manages AWS managed applications such as Amazon SageMaker or AWS IoT SiteWise, and you must provide single sign-on access to your users.

Before you get started, consider the following:

  • Do you want to create a test or production environment in a separate organization in AWS Organizations?

  • Is IAM Identity Center already enabled in your organization? Do you have permissions to enable IAM Identity Center in the management account of AWS Organizations?

Review the following guidance to determine next steps based on your business needs.

Configure my AWS application in a standalone AWS account

If you must provide single sign-on access to an AWS application and know that your IT department does not yet use IAM Identity Center, you might need to create a standalone AWS account to get started. By default, when you create your own AWS account, you'll have the permissions that you require to create and manage your own AWS organization. To enable IAM Identity Center, you must have AWS account root user permissions.

IAM Identity Center and AWS Organizations can be enabled automatically during setup for some AWS applications (for example, Amazon Managed Grafana). If your AWS application doesn't provide the option to enable these services, you must set up AWS Organizations and IAM Identity Center before you can provide single sign-on access to your application.

IAM Identity Center isn't configured in my organization

In your role as an application administrator, you might not be able to enable IAM Identity Center, depending on your permissions. IAM Identity Center requires specific permissions in the AWS Organizations management account. In this case, contact the appropriate administrator to have IAM Identity Center enabled in the Organizations management account.

If you do have sufficient permissions to enable IAM Identity Center, do this first, then proceed with the application setup. For more information, see Get started with common tasks in IAM Identity Center.

IAM Identity Center is currently configured in my organization

In this scenario, you can continue to deploy your AWS application without taking any further action.

Note

If your organization enabled IAM Identity Center in the management account before November 25th, 2019, you must also enable AWS managed applications in the management account and optionally in the member accounts. If you enable them in the management account only, you can enable them in member accounts later. To enable these applications, choose Enable access in the IAM Identity Center console's Settings page in the AWS managed applications section. For more information, see Configuring IAM Identity Center to share identity information .