Guide: SSO

What Is AWS IAM Identity Center (Successor to AWS SSO)?

AWS Identity and Access Management (IAM) Identity Center provides administrators with a unified experience for defining, customizing, and assigning fine-grained access. It offers workforce users a portal to access the AWS accounts and cloud applications assigned to them. 

It is built on top of AWS IAM to help simplify access management across multiple AWS accounts, applications, and various SAML-enabled cloud applications. Here are key features for admins:

  • Connect specific workforce users to AWS resources.
  • Manage access to your AWS accounts, cloud applications, or both. 
  • Create users in IAM Identity Center or bring users from an existing workforce directory. 

This is part of a series of articles about SSO.

In this article:

AWS IAM Identity Center (SSO) Concepts and Features

Here are the main features of the IAM Identity Center:

Workforce identities 

A workforce identity or user is a human user of the organization. IAM Identity Center lets you create workforce users and groups or connect to existing users and groups within an identity source, such as Microsoft Active Directory Domain Services and Microsoft Azure AD. You can use these identities across all AWS accounts and applications.

Application assignments for SAML applications 

Application assignments enable you to grant workforce users single sign-on (SSO) access to various SAML 2.0 applications, such as Microsoft 365 and Salesforce. You can also leverage Identity Center-enabled applications to allow supported applications to automatically receive sign-in and user directory services to provide a consistent SSO experience. 

Multi-account permissions 

This feature can help you plan for and centrally implement IAM permissions across several AWS accounts. It eliminates the need to manually configure each account and lets you create fine-grained permissions according to common job functions, define custom permissions, and assign them to workforce users.

AWS access portal 

The AWS access portal enables workforce users to get one-click access to all their assigned AWS cloud applications and accounts via a simple web portal.

To make the most of these features, you should become familiar with the following concepts:

Users, Groups, and Provisioning

IAM Identity Center enables you to manage access to all AWS Organizations accounts, Identity Center-enabled applications, and various business applications that support the SAML 2.0 standard. Here is how it works:

Users

IAM Identity Center implements a user name as the primary identifier for workforce users. IAM Identity Center and the SAML standard do not require users to set an email address as their username, but many SAML-based applications have this requirement. To ensure this works well, IAM Identity Center requires that all user names and email addresses for users are unique and non-NULL.

Groups 

IAM Identity Center groups consist of a logical combination of predefined users. It lets you create groups and add users but does not support nested groups. You can leverage groups to save time by assigning access to AWS accounts and applications to a group instead of individuals. 

Provisioning

Provisioning involves making user and group information available to the IAM Identity Center and various Identity Center-enabled applications. It provides IAM Identity Center with the information needed to assign users and groups access permissions in an AWS account. 

Identity Center Enabled Applications

IAM Identity Center can integrate with various AWS applications and services, allowing them to authenticate using the IAM Identity Center. IAM Identity Center provides an identity store to enable this capability. The store contains user and group attributes and excludes sign-in credentials.

SAML Federation

IAM Identity Center supports identity federation with SAML 2.0, an industry standard that secures the exchange of SAML assertions passing user information between an identity provider (IdP) and a service provider (SP). This information provides federated SSO access for users authorized to the AWS access portal.

User Authentications

Once a user signs in to the AWS access portal, IAM Identity Center redirects this request to an authentication service according to the directory associated with the specified user email address. After the user is authenticated, they get SSO access to all AWS accounts and applications on the portal without additional sign-in requirements. 

Permission Sets

IAM Identity Center employs permission sets as templates that let you create and maintain a collection of one or several IAM policies, making it simpler to assign users and roles. Once you assign a permission set, IAM Identity Center generates IAM Identity Center-controlled roles within each account, attaching all policies specified in the permission set to these roles. 

Related content: Read our guide to SSO authentication

Getting Started with AWS IAM Identity Center (formerly AWS SSO)

Follow these steps to get started with IAM Identity Center.

Enabling IAM Identity Center

You must have an AWS organization account. If you don’t, you can create one by selecting Create AWS organization before enabling AWS IAM Identity Center.

To enable IAM Identity Center:

  1. Navigate to AWS’s Management Console and log in using your account’s root credentials. 
  2. Open the console for IAM Identity Center using https://console.aws.amazon.com/singlesignon.
  3. Find the Enable IAM Identity Center option and click on Enable.

Creating Administrative Permission Sets

To create a set of permissions that grant administrative-level access:

  1. Log in to the Identity Center console using your AWS root user credentials.
  2. Go to the navigation pane and find the Multi-account permissions menu. Click on Permission sets.
  3. Click on Create permission set.
  4. Go to the Select permission set type and select Next. Don’t change the default settings because they provide full access to AWS resources and services based on the predefined AdministratorAccess permission set.
  5. Go to the next page, Specify permission set details, keeping the default settings (these provide a one-hour limit for each session). Select Next
  6.  Take the following steps on the Review and create page: 
  • Check your permission set type to ensure it is AdministratorAccess.
  • Check your AWS-managed policy to ensure it is AdministratorAccess.
  • Select Create.

Selecting the Identity Source and Creating an Administrative User 

Here you choose the identity source that determines the location where Identity Center will search for data about the AWS users and groups requiring SSO access. Once you choose the identity source, you may create or define users and assign administrator permissions to their AWS accounts.

An Identity Center directory is the identity source by default. To change the default identity source, connect to another directory. For example, AWS-managed Microsoft AD directories, external IdPs, and self-managed directories in Active Directory can all serve as identity sources in IAM Identity Center.

To configure access for an AWS administrative user, you can assign the user to the AdministratorAccess permission set using the following steps:

  1. Go to the Identity Center console and use your AWS root user credentials to sign in. 
  2. Look for the Multi-account permissions menu on the navigation pane and choose AWS accounts.
  3. You should see your organization’s tree-view list on the AWS accounts page. Select your chosen AWS account for administrator permissions. If the organization has more than one account, select the management account.
  4. Click on Assign users or groups to go to the next page.
  5. To select users or groups:
  • Select your chosen user or group on the Users tab. 
  • Once you’ve confirmed that you selected the right group or user, click Next.
  1. To select a permission set, go to the Assign permission sets page. Under the Permission sets option, choose your AdministratorAccess permission set.
  2. Click Next.
  3. On the Review and submit assignments page, take the following steps: 
  • Check your selected group/user and permission set.
  • Once you’ve confirmed that you assigned the right user or group to the AdministratorAccess permission set, select Submit.

IAM Identity Center will create the corresponding IAM role when you configure AWS account access for an administrative user. IAM Identity Center controls this role, creating it within the appropriate AWS account and attaching the access policies from the administrator permission set.

Cloud-Based SSO with Frontegg

Once you integrate Frontegg’s self-served user management solution, your customers can configure their SSO completely on their own with just a few lines of code. The single sign-on can be integrated with IDPs with commonly-used protocols like OIDC and SAML. Yes, you can implement social login SSOs as well.

The front end has been taken care of as well. You can leverage all of Frontegg’s SSO components and personalize your SaaS offering with a customizable login box. This embeddable box reduces in-app friction and allows users to authenticate smoothly and gain quick access to the app. A true end-to-end SSO solution.

Learn more about Frontegg SSO