Explore our platform and learn how it can help your application shine.
Learn about modern authentication techniques and best practices.
Learn about access management practices and technologies.
Learn to manage user accounts and access at scale.
Understand multi-tenancy, a foundation of shared computing.
Learn how to design and build successful SaaS applications.
Understand what is required to provide an enterprise-ready product.
Understand the uses and benefits of Attribute-Based Access Control.
Learn how Single Sign On (SSO) can improve security and UX.
Learn about OpenID Connect, an open authentication protocol.
Learn about SAML, a popular SSO protocol.
Learn about our history, our team, and our mission.
AWS Identity and Access Management (IAM) Identity Center provides administrators with a unified experience for defining, customizing, and assigning fine-grained access. It offers workforce users a portal to access the AWS accounts and cloud applications assigned to them.
It is built on top of AWS IAM to help simplify access management across multiple AWS accounts, applications, and various SAML-enabled cloud applications. Here are key features for admins:
This is part of a series of articles about SSO.
In this article:
Here are the main features of the IAM Identity Center:
A workforce identity or user is a human user of the organization. IAM Identity Center lets you create workforce users and groups or connect to existing users and groups within an identity source, such as Microsoft Active Directory Domain Services and Microsoft Azure AD. You can use these identities across all AWS accounts and applications.
Application assignments for SAML applications
Application assignments enable you to grant workforce users single sign-on (SSO) access to various SAML 2.0 applications, such as Microsoft 365 and Salesforce. You can also leverage Identity Center-enabled applications to allow supported applications to automatically receive sign-in and user directory services to provide a consistent SSO experience.
This feature can help you plan for and centrally implement IAM permissions across several AWS accounts. It eliminates the need to manually configure each account and lets you create fine-grained permissions according to common job functions, define custom permissions, and assign them to workforce users.
AWS access portal
The AWS access portal enables workforce users to get one-click access to all their assigned AWS cloud applications and accounts via a simple web portal.
To make the most of these features, you should become familiar with the following concepts:
IAM Identity Center enables you to manage access to all AWS Organizations accounts, Identity Center-enabled applications, and various business applications that support the SAML 2.0 standard. Here is how it works:
IAM Identity Center implements a user name as the primary identifier for workforce users. IAM Identity Center and the SAML standard do not require users to set an email address as their username, but many SAML-based applications have this requirement. To ensure this works well, IAM Identity Center requires that all user names and email addresses for users are unique and non-NULL.
IAM Identity Center groups consist of a logical combination of predefined users. It lets you create groups and add users but does not support nested groups. You can leverage groups to save time by assigning access to AWS accounts and applications to a group instead of individuals.
Provisioning involves making user and group information available to the IAM Identity Center and various Identity Center-enabled applications. It provides IAM Identity Center with the information needed to assign users and groups access permissions in an AWS account.
IAM Identity Center can integrate with various AWS applications and services, allowing them to authenticate using the IAM Identity Center. IAM Identity Center provides an identity store to enable this capability. The store contains user and group attributes and excludes sign-in credentials.
IAM Identity Center supports identity federation with SAML 2.0, an industry standard that secures the exchange of SAML assertions passing user information between an identity provider (IdP) and a service provider (SP). This information provides federated SSO access for users authorized to the AWS access portal.
Once a user signs in to the AWS access portal, IAM Identity Center redirects this request to an authentication service according to the directory associated with the specified user email address. After the user is authenticated, they get SSO access to all AWS accounts and applications on the portal without additional sign-in requirements.
IAM Identity Center employs permission sets as templates that let you create and maintain a collection of one or several IAM policies, making it simpler to assign users and roles. Once you assign a permission set, IAM Identity Center generates IAM Identity Center-controlled roles within each account, attaching all policies specified in the permission set to these roles.
Related content: Read our guide to SSO authentication
Follow these steps to get started with IAM Identity Center.
You must have an AWS organization account. If you don’t, you can create one by selecting Create AWS organization before enabling AWS IAM Identity Center.
To enable IAM Identity Center:
To create a set of permissions that grant administrative-level access:
Here you choose the identity source that determines the location where Identity Center will search for data about the AWS users and groups requiring SSO access. Once you choose the identity source, you may create or define users and assign administrator permissions to their AWS accounts.
An Identity Center directory is the identity source by default. To change the default identity source, connect to another directory. For example, AWS-managed Microsoft AD directories, external IdPs, and self-managed directories in Active Directory can all serve as identity sources in IAM Identity Center.
To configure access for an AWS administrative user, you can assign the user to the AdministratorAccess permission set using the following steps:
IAM Identity Center will create the corresponding IAM role when you configure AWS account access for an administrative user. IAM Identity Center controls this role, creating it within the appropriate AWS account and attaching the access policies from the administrator permission set.
Once you integrate Frontegg’s self-served user management solution, your customers can configure their SSO completely on their own with just a few lines of code. The single sign-on can be integrated with IDPs with commonly-used protocols like OIDC and SAML. Yes, you can implement social login SSOs as well.
The front end has been taken care of as well. You can leverage all of Frontegg’s SSO components and personalize your SaaS offering with a customizable login box. This embeddable box reduces in-app friction and allows users to authenticate smoothly and gain quick access to the app. A true end-to-end SSO solution.
Start For Free
Rate this post
0 / 5. 0
No reviews yet