Articles

Set Up AWS SSO with IAM Identity Center (2026)

April 16, 2026 4 min read

AWS SSO, now known as IAM Identity Center, is the new name for AWS Single Sign-On. It’s a cloud-based identity and access management service that simplifies managing access to multiple AWS accounts and cloud applications.

Here’s how to set it up:

1. Enable IAM Identity Center

First, you need to enable the service in your AWS account.

  1. Go to the IAM Identity Center console.
  2. Click "Enable IAM Identity Center."

This action provisions the necessary resources for IAM Identity Center within your AWS account.

2. Choose Your Identity Source

IAM Identity Center can use different sources to authenticate your users:

  • IAM Identity Center Directory: A built-in identity store managed by IAM Identity Center.
  • Active Directory: Connect to your existing on-premises or AWS Managed Microsoft AD.
  • External Identity Provider (IdP): Integrate with SAML 2.0 compatible IdPs like Okta, Azure AD, or Google Workspace.

For this example, let’s assume you choose the IAM Identity Center Directory.

Action:

  1. In the IAM Identity Center console, under "Settings," select "Identity source."
  2. Choose "IAM Identity Center directory" and click "Save."

This creates a basic user directory where you can start adding users and groups.

3. Add Users and Groups

Now, populate your identity store with users and organize them into groups.

Action:

  1. In the IAM Identity Center console, navigate to "Users" on the left-hand menu.
  2. Click "Add user."
  3. Fill in the user’s details: Username, Email, First name, Last name.
  4. Click "Next."
  5. You can optionally add the user to groups. If you want to create a new group, click "Add group," provide a name (e.g., Developers), and then add the user to it.
  6. Click "Add user."

Repeat this process for all necessary users and groups.

4. Configure AWS Access

This is where you connect IAM Identity Center to your AWS accounts and define what permissions users/groups have.

Action:

  1. In the IAM Identity Center console, navigate to "AWS accounts" on the left-hand menu.
  2. Click "Configure AWS access."
  3. Under "Permissions," you’ll see "Permission sets." A permission set defines the level of access a user will have to an AWS account. IAM Identity Center provides some AWS managed permission sets (e.g., ReadOnlyAccess, AdministratorAccess). You can also create custom ones.
  4. For this setup, let’s use the AdministratorAccess permission set.
  5. Click "Assign users or groups."
  6. Select the user or group you want to assign access to (e.g., the Developers group).
  7. Click "Next."
  8. Select the AWS account(s) you want to assign access to. You can select individual accounts or entire Organizational Units (OUs) if you have AWS Organizations set up.
  9. Click "Next."
  10. Select the permission set you want to assign (e.g., AdministratorAccess).
  11. Click "Next."
  12. Review your assignments and click "Submit."

This assignment means that users in the Developers group will have administrator access to the selected AWS account(s) when they log in via IAM Identity Center.

5. User Access Portal

Users access their AWS accounts and applications through the IAM Identity Center user access portal.

Action:

  1. In the IAM Identity Center console, under "Settings," find your "User access URL." It will look something like https://<your-account-id>.awsapps.com/start.
  2. Share this URL with your users.
  3. When users visit this URL, they will be prompted to log in with their IAM Identity Center credentials (username and password created in step 3).
  4. After successful authentication, they will see a dashboard listing the AWS accounts and permission sets they have been assigned.
  5. Clicking on an AWS account with an assigned permission set will provision temporary credentials and redirect them to the AWS Management Console with those credentials.

The surprising truth about IAM Identity Center is that it fundamentally shifts the control plane for AWS access away from individual IAM roles in each account and towards a centralized, identity-provider-centric model. Instead of managing IAM roles and policies across dozens or hundreds of accounts, you define "permission sets" in IAM Identity Center, which are then mapped to IAM roles automatically created and managed by IAM Identity Center within each target AWS account. This means your primary focus for access management becomes the central IAM Identity Center configuration and your chosen identity source, rather than the distributed IAM configurations within each account.

The next concept you’ll likely explore is integrating external identity providers for a more seamless user experience, especially in organizations already using services like Azure AD or Okta.

Want structured learning?

Take the full Aws course →