Enable single sign-on access to your Amazon applications (Application admin role) - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Enable single sign-on access to your Amazon applications (Application admin role)

This use case provides guidance if you're an application administrator who manages Amazon managed applications such as Amazon SageMaker or Amazon IoT SiteWise, and you must provide single sign-on access to your users.

Before you get started, consider the following:

  • Do you want to create a test or production environment in a separate organization in Amazon Organizations?

  • Is IAM Identity Center already enabled in your organization? Do you have permissions to enable IAM Identity Center in the management account of Amazon Organizations?

Review the following guidance to determine next steps based on your business needs.

Configure my Amazon application in a standalone Amazon Web Services account

If you must provide single sign-on access to an Amazon application and know that your IT department does not yet use IAM Identity Center, you might need to create a standalone Amazon Web Services account to get started. By default, when you create your own Amazon Web Services account, you'll have the permissions that you require to create and manage your own Amazon organization. To enable IAM Identity Center, you must have Amazon Web Services account root user permissions.

IAM Identity Center and Amazon Organizations can be enabled automatically during setup for some Amazon applications (for example, Amazon Managed Grafana). If your Amazon application doesn't provide the option to enable these services, you must set up Amazon Organizations and IAM Identity Center before you can provide single sign-on access to your application.

IAM Identity Center isn't configured in my organization

In your role as an application administrator, you might not be able to enable IAM Identity Center, depending on your permissions. IAM Identity Center requires specific permissions in the Amazon Organizations management account. In this case, contact the appropriate administrator to have IAM Identity Center enabled in the Organizations management account.

If you do have sufficient permissions to enable IAM Identity Center, do this first, then proceed with the application setup. For more information, see Get started with common tasks in IAM Identity Center.

IAM Identity Center is currently configured in my organization

In this scenario, you can continue to deploy your Amazon application without taking any further action.

Note

If your organization enabled IAM Identity Center in the management account before November 25th, 2019, you must also enable Amazon managed applications in the management account and optionally in the member accounts. If you enable them in the management account only, you can enable them in member accounts later. To enable these applications, choose Enable access in the IAM Identity Center console's Settings page in the Amazon managed applications section. For more information, see Configuring IAM Identity Center to share identity information .