User name and email address uniqueness Groups User and group provisioning

Users, groups, and provisioning

Keep the following considerations in mind when you work with users and groups in IAM Identity Center.

User name and email address uniqueness

Users in IAM Identity Center must be uniquely identifiable. IAM Identity Center implements a user name that is the primary identifier for your users. Although most people set the user name equal to a user’s email address, IAM Identity Center and the SAML 2.0 standard do not require this . However, many SAML 2.0-based applications use an email address as the unique identifier for users. These applications obtain this information from assertions that a SAML 2.0 identity provider sends during authentication. Such applications depend on the uniqueness of email addresses for each user. For this reason, IAM Identity Center allows you to specify something other than an email address for user sign-in. IAM Identity Center requires that all user names and email addresses for your users are non-NULL and unique.

Groups

Groups are a logical combination of users that you define. You can create groups and add users to the groups. IAM Identity Center does not support adding a group to a group (nested groups). Groups are useful when assigning access to AWS accounts and applications. Rather than assign each user individually, you give permissions to a group. Later, as you add or remove users from a group, the user dynamically gets or loses access to accounts and applications that you assigned to the group.

User and group provisioning

Provisioning is the process of making user and group information available for use by IAM Identity Center and AWS managed applications or customer managed applications. You can create users and groups directly in IAM Identity Center, or work with users and groups you have in Active Directory or an external identity provider. Before you can use IAM Identity Center to assign users and groups access permissions in an AWS account, IAM Identity Center must be aware of the users and groups. Similarly, AWS managed applications and customer managed applications can work with users and groups of which IAM Identity Center is aware.

Provisioning in IAM Identity Center varies based on the identity source that you use. For more information, see Manage your identity source.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Enable single sign-on access to your Amazon EC2 Windows instances

Manage your identity source