Customer use AWS IAM Identity Center (successor to AWS Single Sign-On) to manage single sign-on (SSO) for their AWS accounts. By doing so, the customer can use one place for workforce user and group access, and one place to manage AWS account access. AWS IAM Identity Center helps you securely create or connect your workforce identities and manage their access centrally across AWS accounts and applications. IAM Identity Center is the recommended approach for workforce authentication and authorization on AWS for organizations of any size and type.
IAM Identity Center features
IAM Identity Center includes the following core features:
Workforce identities
Human users who are members of your organization are also known as workforce identities or workforce users. You can create workforce users and groups in IAM Identity Center. You can also connect and synchronize to an existing set of users and groups in your own identity source for use across all your AWS accounts and applications. Supported identity sources include Microsoft Active Directory Domain Services, and external identity providers such as Okta Universal Directory or Microsoft Azure AD.
Application assignments for SAML applications
With application assignments, you can grant your workforce users in IAM Identity Center SSO access to Security Assertion Markup Language (SAML) 2.0 applications, such as Salesforce and Microsoft 365. Your users can access these applications in a single place, without the need for you to set up federation separately.
Identity Center enabled applications
AWS applications and services — such as Amazon Managed Grafana, Amazon Monitron, and Amazon SageMaker Studio Notebooks — discover and connect to IAM Identity Center automatically to receive sign-in and user directory services. This feature provides users with a consistent SSO experience for these applications, with no additional application configuration. Because the applications share a common view of users, groups, and group membership, users can also have a consistent experience when they share application resources with others.
Multi-account permissions
With multi-account permissions, you can plan for and centrally implement IAM permissions across multiple AWS accounts at one time, without the need for you to configure each of your accounts manually. You can create fine-grained permissions based on common job functions, or define custom permissions that meet your security needs. You can then assign those permissions to workforce users to control their access over specific accounts.
AWS access portal
The AWS access portal provides your workforce users with one-click access to all their assigned AWS accounts and cloud applications through a web portal.
For more information, see What is IAM Identity Center?
