What is IAM Identity Center? - AWS IAM Identity Center

What is IAM Identity Center?

AWS IAM Identity Center is the recommended AWS service for managing human user access to AWS resources. It is a single place where you can assign your workforce users, also known as workforce identities, consistent access to multiple AWS accounts and applications.

With IAM Identity Center, you can create or connect workforce users and centrally manage their access across all their AWS accounts and applications. You can use multi-account permissions to assign your workforce users access to AWS accounts. You can use application assignments to assign your users access to AWS managed and customer managed applications.

Note

Although the service name AWS Single Sign-On has been retired, the term single sign-on is still used throughout this guide to describe the authentication scheme that allows users to sign in one time to access multiple applications and websites.

IAM Identity Center capabilities

IAM Identity Center includes the following core capabilities and features:

Manage workforce identities

Human users who build or operate workloads in AWS are also known as workforce users, or workforce identities. Workforce users are employees or contractors who you allow to access AWS accounts in your organization and internal business applications. These individuals might be developers who build your internal and customer-facing systems, or users of internal database systems and applications. You can create workforce users and groups in IAM Identity Center, or connect and synchronize to an existing set of users and groups in your own identity source for use across all your AWS accounts and applications. For more information, see Manage your identity source.

Manage instances of IAM Identity Center

IAM Identity Center supports two types of instances: organization instances and account instances. An organization instance is the best practice. It's the only instance that enables you to manage access to AWS accounts and it's recommended for all production use of applications. An organization instance is deployed in the AWS Organizations management account and gives you a single point from which to manage user access across the AWS environment.

Account instances are bound to the AWS account in which they are enabled. Use account instances of IAM Identity Center only to support isolated deployments of select AWS managed applications. For more information, see Manage organization and account instances of IAM Identity Center.

Manage access to multiple AWS accounts

With multi-account permissions, you can plan for and centrally implement permissions across multiple AWS accounts at one time without needing to configure each of your accounts manually. You can create permissions based on common job functions or define custom permissions that meet your security needs. You can then assign those permissions to workforce users to control their access over specific accounts.

This optional feature is available only for organization instances. If you're using per-account IAM role management in your environment, both systems can coexist. If you want to try multi-account permissions, you can start by implementing this system on a limited basis and migrate more of your environment to use this system over time.

Manage access to applications

IAM Identity Center enables you to simplify application access management. With IAM Identity Center, you can grant your workforce users in IAM Identity Center single sign-on access to applications.

AWS managed applications

AWS provides applications such as Amazon Redshift, Amazon Managed Grafana, and Amazon Monitron, that integrate with IAM Identity Center. These applications can use IAM Identity Center for authentication, directory services, and trusted identity propagation. Your users benefit from a consistent single sign-on experience, and because the applications share a common view of users, groups, and group membership, users also have a consistent experience when sharing application resources with others. You can configure AWS managed applications to work with IAM Identity Center directly from within the relevant application consoles or through the APIs.

Customer managed applications

You can grant your workforce users in IAM Identity Center single sign-on access to applications that support identity federation with SAML 2.0. Many commonly used SAML 2.0 applications, such as Salesforce and Microsoft 365, work with IAM Identity Center and are available in the application catalog in the IAM Identity Center console. This is an optional feature that can be helpful if you use such applications and you create your users and groups in IAM Identity Center, or you use Microsoft Active Directory Domain Service as your identity source.

Trusted identity propagation across applications

Trusted identity propagation provides a streamlined single sign-on experience for users of query tools and business intelligence (BI) applications who require access to data in AWS services. Data access management is based on a user's identity, so administrators can grant access based on users' existing user and group memberships. User access to AWS services and other events is recorded in service-specific logs and in CloudTrail events, so that auditors know what actions the users took and which resources the users accessed.

AWS access portal access for your users

The AWS access portal is a simple web portal that provides your users with seamless access to all their assigned AWS accounts and applications.

IAM Identity Center rename

On July 26, 2022, AWS Single Sign-On was renamed to AWS IAM Identity Center. For existing customers, the following table is meant to describe some of the more common term changes that have been updated throughout this guide as a result of the rename.

Legacy term Current term
AWS SSO user or SSO user workforce user or user
AWS SSO user portal or user portal AWS access portal
AWS SSO-integrated applications AWS managed applications
AWS SSO directory Identity Center directory
AWS SSO store or AWS SSO identity store identity store used by IAM Identity Center

The following table describes the applicable user, developer and API reference guide name changes that also took place as a result of this rename.

Legacy guide Current guide
AWS Single Sign-On User Guide IAM Identity Center User Guide
AWS Single Sign-On SCIM Implementation Developer Guide IAM Identity Center SCIM Implementation Developer Guide
AWS Single Sign-On API Reference Guide IAM Identity Center API Reference
AWS Single Sign-On Identity Store API Reference Guide Identity Store API Reference
AWS Single Sign-On OIDC API Reference Guide IAM Identity Center OIDC API Reference
AWS Single Sign-On Portal API Reference Guide IAM Identity Center Portal API Reference

Legacy namespaces remain the same

The sso and identitystore API namespaces along with the following related namespaces remain unchanged for backward compatibility purposes.