AWS IAM Identity Center (SSO): Centralized Multi-Account SSO Management

Key Takeaway

IAM Identity Center is a free service that centrally manages SSO (Single Sign-On) to multiple AWS accounts and business apps. Integrated with Organizations, it controls access to all member accounts from a single portal.

What is IAM Identity Center?

A service that provides SSO to multiple AWS accounts and business applications within AWS Organizations.

┌──────────────────────────────────────────────┐
│           IAM Identity Center                 │
│                                               │
│  [SSO Portal] ← User logs in once             │
│       │                                       │
│       ├── AWS Account A (Prod)  → Permission Set A    │
│       ├── AWS Account B (Dev)   → Permission Set B    │
│       ├── AWS Account C (Test)  → Permission Set C    │
│       ├── Salesforce            → SAML integration    │
│       └── Slack                 → SAML integration    │
└──────────────────────────────────────────────┘

Key Features

Feature	Description
Free	No additional cost
Organizations Integration	Auto-connect all member accounts
SSO Portal	Single URL for all accounts/apps
Permission Sets	Assign different permissions per account
CLI v2 Support	aws sso login for CLI authentication

IAM Identity Center vs Cognito

Comparison	IAM Identity Center	Amazon Cognito
Target Users	Employees (Enterprise)	Customers/App users (B2C)
Purpose	SSO to AWS accounts/apps	App login/signup
IdP Integration	AD, Okta, Entra ID	Google, Facebook, SAML
Result	AWS Console/CLI access	JWT token issuance
Cost	Free	Usage-based pricing
Account Scope	Multi AWS accounts	Single app

Core Components

1. Identity Source

Configure where to get user information from.

Identity Source	Description	Use Case
Identity Center Directory	Built-in user store	Small scale, no separate IdP
Active Directory	AWS Managed AD or AD Connector	Existing AD environment
External IdP	Okta, Entra ID, OneLogin	SAML 2.0 / SCIM

2. Permission Sets

A bundle of IAM policies to use in AWS accounts.

Permission Set Examples:

AdminAccess (Permission Set)
├── AWS Managed Policy: AdministratorAccess
└── Session Duration: 4 hours

ReadOnlyAccess (Permission Set)
├── AWS Managed Policy: ViewOnlyAccess
├── Inline Policy: S3 read-only
└── Session Duration: 1 hour

DevOpsAccess (Permission Set)
├── AWS Managed Policy: PowerUserAccess
├── Permissions Boundary: DevOpsBoundary
└── Session Duration: 8 hours

3. Assignments

Connect users/groups + permission sets + AWS accounts.

Assignment Examples:

DevOps Group:
├── Prod Account → ReadOnlyAccess
├── Dev Account  → AdminAccess
└── Test Account → AdminAccess

Finance Group:
├── Billing Account → BillingAccess
└── Prod Account    → ReadOnlyAccess

How It Works

SSO Login Flow

1. User → SSO Portal (https://d-xxxxxxxxxx.awsapps.com/start)
2. Login (authenticated by identity source)
3. Portal displays accessible accounts/apps list
4. Select account + permission set
5. Access AWS Console (temporary credentials auto-issued)

CLI v2 SSO Flow

# Configure SSO profile
aws configure sso
# SSO login
aws sso login --profile my-dev
# Execute command with SSO credentials
aws s3 ls --profile my-dev

External IdP Integration

SAML 2.0 Integration

[External IdP (Okta/Entra ID)]
        │
        │ SAML 2.0
        ▼
[IAM Identity Center]
        │
        ├── AWS Account A
        ├── AWS Account B
        └── Business Apps

SCIM Auto-Provisioning

SCIM (System for Cross-domain Identity Management) automatically syncs users/groups.

Aspect	Manual Management	SCIM Provisioning
User Creation	Manual on both sides	Auto-sync from IdP
Group Sync	Manual mapping	Auto-sync
User Deactivation	Manual on both sides	Auto-reflected when disabled in IdP

Fine-Grained Permission Management

ABAC (Attribute-Based Access Control)

Control access based on user attributes (department, job title, etc.).

User Attributes:
- Department: Engineering
- CostCenter: 1234

Permission Set Condition:
{
  "Condition": {
    "StringEquals": {
      "aws:PrincipalTag/Department": "Engineering"
    }
  }
}
→ Only Engineering department users can access specific resources

SAA-C03 Exam Focus Points

1. ✅ Service Selection: "Multi-account SSO = IAM Identity Center"
2. ✅ vs Cognito: "Employees = Identity Center, App users = Cognito"
3. ✅ Organizations Required: "Identity Center is used with Organizations"
4. ✅ Free: "No additional cost"
5. ✅ Permission Sets: "Can assign different permissions per account"

Frequently Asked Questions (FAQ)

Q: Can IAM Identity Center be used without Organizations?

Single-account mode is available, but using with Organizations is recommended to leverage multi-account SSO benefits.

Q: What's the difference between IAM Identity Center and IAM Federation (direct SAML)?

IAM Federation requires individual setup per account, while Identity Center applies SSO to all accounts with one setup. Identity Center is much more efficient in multi-account environments.

Q: I'm using AWS SSO. Do I need to migrate to IAM Identity Center?

AWS SSO was renamed to IAM Identity Center. Your existing settings are preserved, and no additional migration is required.

Q: How many permission sets can I create?

You can assign up to 50 permission sets per AWS account, and create up to 2,000 across the entire organization.

Q: Does IAM Identity Center support MFA?

Yes. Built-in MFA is supported, including TOTP (authenticator apps), FIDO2 security keys, and built-in authenticators. When using external IdPs, you can leverage their MFA.

Related Posts

• IAM Basics: Users, Groups, Roles, Policies
• Identity Federation: SAML, OIDC, Cognito
• AWS Organizations & SCP

References

• IAM Identity Center User Guide
• IAM Identity Center FAQ
• Permission Sets Management