Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon IAM Identity Center and Amazon Organizations

Amazon IAM Identity Center provides single sign-on access for all of your Amazon Web Services accounts and cloud applications. It connects with Microsoft Active Directory through Amazon Directory Service to allow users in that directory to sign in to a personalized Amazon access portal using their existing Active Directory user names and passwords. From the Amazon access portal, users have access to all the Amazon Web Services accounts and cloud applications that they have permissions for.

For more information about IAM Identity Center, see the Amazon IAM Identity Center User Guide.

Use the following information to help you integrate Amazon IAM Identity Center with Amazon Organizations.

Service-linked roles created when you enable integration

The following service-linked role is automatically created in your organization's management account when you enable trusted access. This role allows IAM Identity Center to perform supported operations within your organization's accounts in your organization.

You can delete or modify this role only if you disable trusted access between IAM Identity Center and Organizations, or if you remove the member account from the organization.

Service principals used by the service-linked roles

The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by IAM Identity Center grant access to the following service principals:

Enabling trusted access with IAM Identity Center

For information about the permissions needed to enable trusted access, see Permissions required to enable trusted access.

You can enable trusted access using either the Amazon IAM Identity Center console or the Amazon Organizations console.

IAM Identity Center requires trusted access with Amazon Organizations to function. Trusted access is enabled when you set up IAM Identity Center. For more information, see Getting Started - Step 1: Enable Amazon IAM Identity Center in the Amazon IAM Identity Center User Guide.

You can enable trusted access by using either the Amazon Organizations console, by running a Amazon CLI command, or by calling an API operation in one of the Amazon SDKs.

Amazon Web Services Management Console

To enable trusted service access using the Organizations console

1. Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

2. In the navigation pane, choose Services.

3. Choose Amazon IAM Identity Center in the list of services.

4. Choose Enable trusted access.

5. In the Enable trusted access for Amazon IAM Identity Center dialog box, type enable to confirm it, and then choose Enable trusted access.

6. If you are the administrator of only Amazon Organizations, tell the administrator of Amazon IAM Identity Center that they can now enable that service using its console to work with Amazon Organizations.

Amazon CLI, Amazon API

To enable trusted service access using the OrganizationsCLI/SDK

You can use the following Amazon CLI commands or API operations to enable trusted service access:

• Amazon CLI: enable-aws-service-access

  You can run the following command to enable Amazon IAM Identity Center as a trusted service with Organizations.

  $ aws organizations enable-aws-service-access \ 
      --service-principal sso.amazonaws.com

  This command produces no output when successful.

• Amazon API: EnableAWSServiceAccess

Disabling trusted access with IAM Identity Center

For information about the permissions needed to disable trusted access, see Permissions required to disable trusted access.

IAM Identity Center requires trusted access with Amazon Organizations to operate. If you disable trusted access using Amazon Organizations while you are using IAM Identity Center, it stops functioning because it can't access the organization. Users can't use IAM Identity Center to access accounts. Any roles that IAM Identity Center creates remain, but the IAM Identity Center service can't access them. The IAM Identity Center service-linked roles remain. If you reenable trusted access, IAM Identity Center continues to operate as before, without the need for you to reconfigure the service.

If you remove an account from your organization, IAM Identity Center automatically cleans up any metadata and resources, such as its service-linked role. A standalone account that is removed from an organization no longer works with IAM Identity Center.

You can disable trusted access using only the Organizations tools.

You can disable trusted access by using either the Amazon Organizations console, by running an Organizations Amazon CLI command, or by calling an Organizations API operation in one of the Amazon SDKs.

Amazon Web Services Management Console

To disable trusted service access using the Organizations console

1. Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

2. In the navigation pane, choose Services.

3. Choose Amazon IAM Identity Center in the list of services.

4. Choose Disable trusted access.

5. In the Disable trusted access for Amazon IAM Identity Center dialog box, type disable to confirm it, and then choose Disable trusted access.

6. If you are the administrator of only Amazon Organizations, tell the administrator of Amazon IAM Identity Center that they can now disable that service using its console or tools from working with Amazon Organizations.

Amazon CLI, Amazon API

To disable trusted service access using the Organizations CLI/SDK

You can use the following Amazon CLI commands or API operations to disable trusted service access:

• Amazon CLI: disable-aws-service-access

  You can run the following command to disable Amazon IAM Identity Center as a trusted service with Organizations.

  $ aws organizations disable-aws-service-access \
      --service-principal sso.amazonaws.com

  This command produces no output when successful.

• Amazon API: DisableAWSServiceAccess

Enabling a delegated administrator account for IAM Identity Center

When you designate a member account as a delegated administrator for the organization, users and roles from that account can perform administrative actions for IAM Identity Center that otherwise can be performed only by users or roles in the organization's management account. This helps you to separate management of the organization from management of IAM Identity Center.

For instructions about how to enable a delegated administrator account for IAM Identity Center, see Delegated administration in the Amazon IAM Identity Center User Guide.