View a markdown version of this page

IAM Identity Center in Amazon Web Services China - Getting Started with Amazon Web Services China
Region availabilityHow IAM Identity Center differsDocumentation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

IAM Identity Center in Amazon Web Services China

IAM Identity Center is the Amazon Web Services solution for connecting your workforce users to all of their Amazon Web Services managed applications and Amazon Web Services accounts. Users who have access to one or more accounts can sign in to the Amazon Web Services access portal and access Amazon Web Services applications by using the Amazon Web Services Management Console or retrieve temporary credentials to access Amazon Web Services applications programmatically. You can connect your existing identity provider or create and manage your users directly in IAM Identity Center. For existing identity providers, automatic provisioning (synchronization) of user and group information from your identity provider into IAM Identity Center is supported.

Region availability

IAM Identity Center is available in the following Regions in China:

  • China (Beijing) Region

  • China (Ningxia) Region

How IAM Identity Center differs

The following differences apply to IAM Identity Center:

  • IAM Identity Center integrates with Amazon Organizations to manage access across your Amazon Web Services accounts, and therefore, IAM Identity Center is subject to any Amazon Organizations differences.

  • The Amazon Web Services access portal URL has a URL pattern of IdentityStoreId or CustomAlias.

    You can find this URL on the Settings page in the IAM Identity Center console.

  • The Amazon Resource Name (ARN) for your IAM Identity Center instance has a pattern of arn:aws-cn:sso:::instance/[InstanceId] You can find this ARN on the Settings page in the IAM Identity Center console.

  • The ARNs for IAM Identity Center permission sets has a pattern of arn:aws-cn:sso:::permissionSet/[InstanceID]/[PermissionSetID] You can find these ARNs on the Permission sets tab under the Amazon Web Services accounts page in the IAM Identity Center console.

  • The email address no-reply@login.awsapps.cn is used for sending email-verification, password reset, and user invitation emails in the China (Beijing) and China (Ningxia) Regions. The email address no-reply@signin.amazonaws.com.cn is used for sending forgotten password emails.

  • Google Workspace (formerly G Suite) is not available in China.

  • The solutions provided by Amazon Security Competency partners CyberArk, Ermetic, and Okta are not hosted in China. Their capabilities and integration with IAM Identity Center for the purposes of temporary elevated access management have not been tested with IAM Identity Center in China.

  • Single sign-on to Amazon EC2 Windows instances for IAM Identity Center users is not available.

  • IAM Identity Center integrates with Amazon Web Services applications to provide single sign-on and centralized identity and access management for those applications. The Amazon Web Services products page lists the Amazon Web Services applications available in China. Refer to the China-specific user guide of an Amazon Web Services application for details on its integration with IAM Identity Center.

  • The user background sessions feature appears in the console for China, but this feature cannot be used because user background sessions are only supported for Amazon SageMaker Studio. Although Amazon SageMaker AI is supported in China, Amazon SageMaker Studio, which is its latest web experience for running machine learning (ML) workflows, is not available in China.

  • The application and identity providers referenced in the IAM Identity Center documentation are third parties. Their instances may be located outside of China. Customers should verify the location of the instances with the third-party providers directly, and customers should confirm whether any cross-border transfers of data comply with their obligations under applicable laws. If customers use the services offered by these third parties, customers may experience higher latency due to reasons beyond the control of Amazon (for example, if the third party’s servers are outside of China), and customers should work with the third-party provider directly to address latency.

  • The cloud application, External Amazon Web Services Account, is presently not available in the cloud application catalog. If you need to configure a federation to an Amazon Web Services account, which is not part of the same Amazon organization, you can use a custom SAML application. Instructions on how to set up the federation in the account are available in IAM User Guide.

  • Amazon Web Services China (Beijing) Region, operated by Sinnet, and Amazon Web Services China (Ningxia) Region, operated by NWCD, are enabled by default. Therefore, they do not need to be manually enabled.

  • The following Amazon Web Services managed application is supported for account instances of IAM Identity Center:

    • Amazon S3 Access Grants

  • Multi-Region support is presently not available.

  • If you filter access to specific Amazon Web Services domains by using a web content filtering solution such as next-generation firewalls (NGFW) or Secure Web Gateways (SWG), you must add the following domains to your web-content filtering solution allowlists. Doing so enables you to access your Amazon Web Services access portal.

    The following list provides the IPv4 and dual-stack domains and URL endpoints to add to your web-content filtering solution allowlists.

    IPv4 allow list

    • start.home.awsapps.cn

    • start.[Region].home.awsapps.cn

    • [IAM-Identity-Center-instance-id].[Region].portal.amazonaws.com.cn

    • oidc.[Region].amazonaws.com.cn

    • *.applicationcatalog.amazonaws.com.cn

    • *.sso.[Region].amazonaws.com.cn

    • *.sso.amazonaws.cn

    • *.sso-portal.[Region].amazonaws.com.cn

    • *.sso.[Region].amazonaws.cn

    • aws-access-portal-website-prod-bjs-assets.s3.cn-north-1.amazonaws.com.cn

    • aws-access-portal-website-prod-zhy-assets.s3.cn-northwest-1.amazonaws.com.cn

    • s3.cn-north-1.amazonaws.com.cn/awsconsole-peregrine-portal-prod-bjs-assets

    • s3.cn-northwest-1.amazonaws.com.cn/awsconsole-peregrine-portal-prod-zhy-assets

    • [Region].signin.amazonaws.cn

    • *.cloudfront.net

    • opfcaptcha-prod.s3.amazonaws.com

      Dual-stack allow list

    • [IAM-Identity-Center-instance-id].portal.[Region].app.amazonwebservices.com.cn

    • oidc.[Region].api.amazonwebservices.com.cn

    • *.applicationcatalog.amazonaws.com.cn

    • sso.[Region].api.amazonwebservices.com.cn

    • portal.sso.[Region].api.amazonwebservices.com.cn

    • scim.[Region].api.amazonwebservices.com.cn

    • identitystore.[Region].api.amazonwebservices.com.cn

    • identity-sync.[Region].api.amazonwebservices.com.cn

    • dual-stack.auth-control.[Region].prod.apps-auth.aws.a2z.org.cn

    • pvs-cp.[Region].api.amazonwebservices.com.cn

    • aws-access-portal-website-prod-bjs-assets.s3.cn-north-1.amazonaws.com.cn

    • aws-access-portal-website-prod-zhy-assets.s3.cn-northwest-1.amazonaws.com.cn

    • s3.cn-north-1.amazonaws.com.cn/awsconsole-peregrine-portal-prod-bjs-assets

    • s3.cn-northwest-1.amazonaws.com.cn/awsconsole-peregrine-portal-prod-zhy-assets

    • [Region].sso.signin.amazonaws.cn

    • *.cloudfront.net

    • opfcaptcha-prod.s3.amazonaws.com

      Combined allow list (IPv4 + Dual-stack with backward compatibility)

    • start.home.awsapps.cn

    • start.[Region].home.awsapps.cn

    • [IAM-Identity-Center-instance-id].[Region].portal.amazonaws.com.cn

    • [IAM-Identity-Center-instance-id].portal.[Region].app.amazonwebservices.com.cn

    • oidc.[Region].amazonaws.com.cn

    • oidc.[Region].api.amazonwebservices.com.cn

    • *.applicationcatalog.amazonaws.com.cn

    • *.sso.[Region].amazonaws.com.cn

    • sso.[Region].api.amazonwebservices.com.cn

    • *.sso.amazonaws.cn

    • *.sso-portal.[Region].amazonaws.com.cn

    • portal.sso.[Region].api.amazonwebservices.com.cn

    • *.sso.[Region].amazonaws.cn

    • scim.[Region].api.amazonwebservices.com.cn

    • identitystore.[Region].api.amazonwebservices.com.cn

    • identity-sync.[Region].api.amazonwebservices.com.cn

    • dual-stack.auth-control.[Region].prod.apps-auth.aws.a2z.org.cn

    • pvs-cp.[Region].api.amazonwebservices.com.cn

    • aws-access-portal-website-prod-bjs-assets.s3.cn-north-1.amazonaws.com.cn

    • aws-access-portal-website-prod-zhy-assets.s3.cn-northwest-1.amazonaws.com.cn

    • s3.cn-north-1.amazonaws.com.cn/awsconsole-peregrine-portal-prod-bjs-assets

    • s3.cn-northwest-1.amazonaws.com.cn/awsconsole-peregrine-portal-prod-zhy-assets

    • [Region].signin.amazonaws.cn

    • [Region].sso.signin.amazonaws.cn

    • *.cloudfront.net

    • opfcaptcha-prod.s3.amazonaws.com

Documentation