Amazon CodeCatalyst will no longer be open to new customers starting on November 7, 2025. If you would like to use the service, please sign up prior to November 7, 2025. For more information, see [Migrating from Amazon CodeCatalyst](https://docs.aws.amazon.com/codecatalyst/latest/userguide/migration.html).
# Administering spaces that support identity federation
You can manage your space in CodeCatalyst after you have set up the space for identity federation.
This guide includes information about administrator tasks for managing spaces in CodeCatalyst that support identity federation.
For information about the following tasks for managing AWS Builder ID spaces, see the *CodeCatalyst User Guide*:
+ Add other space administrators to the space for an AWS Builder ID space
+ Change member roles and permissions for an AWS Builder ID space
+ Create projects and add members to the project
+ View a list of all projects in the space
+ View the activity feed for all projects in the space
+ Invite users for a AWS Builder ID space
For the steps to set up a CodeCatalyst space without identity federation, an AWS Builder ID space, see [Setting up CodeCatalyst](https://docs.aws.amazon.com//codecatalyst/latest/userguide/setting-up-topnode.html) in the * Amazon CodeCatalyst User Guide*.
If you have not already connected the AWS account that will be the specified billing account for your space and set up your identity provider in IAM Identity Center, complete the prerequisites and create your first space as detailed in [Prerequisite 3: Setting up identity federation in IAM Identity Center](setting-up-federation.md#setting-up-prereq-identity) and [Creating a space for identity federation](setting-up-federation-space-create.md). You work with your Identity federation administrator and AWS account administrator to configure and enable your identity provider (IdP). The AWS account that is specified as the billing account for your CodeCatalyst space has different quotas from other account connections for a space. For more information, see [Quotas](https://docs.aws.amazon.com/codecatalyst/latest/userguide/quotas.html) in the *CodeCatalyst User Guide*.
**Important**
Dev Environments aren't available for users in spaces where Active Directory is used as the identity provider. When planning a space where the identity provider will be Active Directory, note that users will not be able to use Dev Environments. For more information, see [I can't create a Dev Environment when I'm signed into CodeCatalyst using a single sign-on account](https://docs.aws.amazon.com/codecatalyst/latest/userguide/devenvironments-troubleshooting.html#troubleshoot-create-dev-env-idprovider).
# Creating a space for identity federation
You cannot directly add or remove users in your space that supports identity federation. You must work with your Identity federation administrator to manage SSO users and groups in IAM Identity Center. CodeCatalyst syncs on a regular basis with the IAM Identity Center identity store with the latest directory status for your space members.
Before you start to set up your space, make sure you are signed in to the AWS Management Console with the AWS account that will be the specified billing account for your space.
**Before you begin**
+ Before you begin, you must be ready to provide an AWS account ID for an account where you have administrative privileges as the billing account for your space. Have your 12-digit AWS account ID ready. For information about finding your AWS account ID, see [Your AWS account ID and its alias](https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html).
You must have completed the prerequisites as follows:
1. Create an organization in AWS Organizations (not required).
1. Set up your billing account or your account in AWS Organizations.
1. Enable IAM Identity Center.
1. Set up your provider in IAM Identity Center.
1. Create users and groups in IAM Identity Center.
**To create a space for identity federation**
1. Sign in to the Amazon CodeCatalyst page in the AWS Management Console with the AWS account that will be the specified billing account for your space.
1. Open the Amazon CodeCatalyst page in the AWS Management Console at [https://us-west-2.console.aws.amazon.com/codecatalyst/home?region=us-west-2\$1/](https://us-west-2.console.aws.amazon.com/codecatalyst/home?region=us-west-2#/).
1. Choose **IAM Identity Center**. On the **IAM Identity Center** page, under **Application Enabled Spaces**, choose **Connect**.
**Tip**
Make sure you are signed in to the AWS Management Console with the AWS account that will be the specified billing account for your space.
1. In **AWS Region** , choose the Region for your space. Make sure to choose the same Region as that where your identity resources are created.
**Note**
For IAM Identity Center resources, choose the same Region as your CodeCatalyst space. While you can choose a different Region, this might impact connectivity and latency.
1. Under **Step 1: Choose application name**, in **Display name**, enter a name that will match your company name for display on login screens and in CodeCatalyst.
**Note**
Identity Center application names must be globally unique.
**Important**
Your application name will represent your company and will be visible for selection as an option where users from a workforce directory will access CodeCatalyst.
1. In **AWS Identity Center application name**, provide the name to use when signing in to CodeCatalyst with SSO. This is the name that will represent your company association between your identity provider and your CodeCatalyst space. When you create an application, it is associated with your identity store ID in IAM Identity Center.
1. In **Identity store ID**, the ID for the associated identity store in IAM Identity Center displays. To change this, choose **go to IAM Identity Center**.
1. Choose **Next**.
1. Under **Step 2: Choose or create a CodeCatalyst space**, do one of the following:
+ To set up an existing CodeCatalyst to support identity federation and create an application for it, choose **Existing CodeCatalyst**. In the dropdown field for **Choose existing CodeCatalyst**, choose the existing CodeCatalyst space you want to set up.
**Note**
If you set up an existing space by adding SSO support, only SSO users and groups will be supported. Existing AWS Builder ID users will no longer be supported. This action cannot be undone, and you can't change the space back to an AWS Builder ID space later.
+ To set up a new CodeCatalyst, choose **New space**.
In **Space name**, enter a name for your CodeCatalyst space.
**Note**
Space names must be unique across CodeCatalyst. You cannot reuse names of deleted spaces.
1. Choose **Next**.
1. Under **Step 3: Connect groups**, in **Choose groups**, choose the SSO users and groups you want to add to the space. Choose the box next to each group you want to add. These must be already available in IAM Identity Center for your identity provider.
1. Choose **Next**.
1. Under **Step 4: Assign users to the CodeCatalyst **Space administrator** role**, choose which users you want to assign the **Space administrator** role. These users will have **Space administrator** permissions in CodeCatalyst for your space, to include removing members and deleting the space. For more information about the role, see [Working with roles in Amazon CodeCatalyst](https://docs.aws.amazon.com//codecatalyst/latest/userguide/ipa-roles.html).
1. Choose **Next**.
1. In the wizard Step 5 page, review the summary for the space.
**Note**
Make sure you are ready to create the space with the space name you have chosen. Once you create the space, you will not be able to reuse the space name, even if the space is deleted. SSO application names can be reassigned to another space, but the space name itself cannot be reused.
## Next steps: Create teams, projects, and resources in CodeCatalyst
After you have created your space, you can perform the following tasks.
+ Create projects from blueprints in CodeCatalyst. For a tutorial, see [Tutorial: Creating a project with the Modern three-tier web application blueprint](https://docs.aws.amazon.com//codecatalyst/latest/userguide/getting-started-template-project.html) in the* Amazon CodeCatalyst User Guide*.
+ Work with workflows, repositories, and other resources in CodeCatalyst. See [Build, test, and deploy with workflows in CodeCatalyst](https://docs.aws.amazon.com//codecatalyst/latest/userguide/flows.html) in the* Amazon CodeCatalyst User Guide*.
+ Create teams in CodeCatalyst and import your users and groups into teams. See [Managing teams](https://docs.aws.amazon.com//codecatalyst/latest/userguide/managing-teams.html) in the *Amazon CodeCatalyst User Guide*.
+ Create issues and assign tasks to users and teams in CodeCatalyst. See [Issues in CodeCatalyst](https://docs.aws.amazon.com//codecatalyst/latest/userguide/managing-teams.html) in the *Amazon CodeCatalyst User Guide*.
# Configure an existing CodeCatalyst space for identity federation
You must have the **Space administrator** role and access to the billing account for the space in order to view SSO users and groups for your space.
You must have completed the prerequisities in AWS Organizations and IAM Identity Center for a space. The space can only support members that are managed as federated identities in IAM Identity Center.
You cannot directly add or remove users in your space in CodeCatalyst. You must work with your Identity federation administrator to manage SSO users and groups in IAM Identity Center. CodeCatalyst syncs with the IAM Identity Center on a regular basis to update your space members.
**Important**
After a space is updated to SSO and associated with an Identity Center application, it is an enabled space in CodeCatalyst for SSO. The space will no longer support AWS Builder ID users. This action cannot be undone, and you can't change the space back to an AWS Builder ID space later.
1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).
1. Choose **Settings**, and then choose **SSO**.
1. On the **SSO not enabled** message, choose **Set up in AWS**. The wizard page opens for creating a space. To complete the wizard, see the steps in [Creating a space for identity federation](setting-up-federation-space-create.md).
To view information in IAM Identity Center, choose **IAM Identity Center**. You will be taken to IAM Identity Center, where you can work with your Identity federation administrator to configure SSO users and groups for your instance in IAM Identity Center.
# Viewing SSO users and groups for a space
You must have the **Space administrator** role and access to the billing account for your space to view SSO users and groups for your space. You cannot directly add or remove SSO users or groups in CodeCatalyst.
**Note**
Users or groups that are added to IAM Identity Center assignments usually appear in CodeCatalyst within two hours. Depending on the amount of data being synchronized, this process might take longer.
1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).
1. To view users in each group, choose the group. To view application details in the AWS Management Console, choose **View application**.
To view information in IAM Identity Center, choose **IAM Identity Center**. You will be taken to IAM Identity Center, where you can work with your Identity federation administrator to configure SSO users and groups for your instance in IAM Identity Center.
# Adding SSO groups to a space that supports identity federation
You can use the Amazon CodeCatalyst page in the AWS Management Console to add SSO groups to your space. You must have already worked with your Identity federation administrator to create the SSO users and groups for your instance in IAM Identity Center. For a high-level reference to the prerequisites steps to configure SSO users and groups in IAM Identity Center, see [Prerequisite 3: Setting up identity federation in IAM Identity Center](setting-up-federation.md#setting-up-prereq-identity).
**Note**
Users or groups that are added to IAM Identity Center assignments usually appear in CodeCatalyst within two hours. Depending on the amount of data being synchronized, this process might take longer.
You must have the **Space administrator** role and access to the billing account for your space to view SSO users and groups for your space.
You cannot directly add or remove users to your space in CodeCatalyst. You must work with your Identity federation administrator to manage SSO users and groups in IAM Identity Center. CodeCatalyst syncs on a regular basis with the IAM Identity Center identity store with the latest directory status for your space members.
1. Open the Amazon CodeCatalyst page in the AWS Management Console at [https://us-west-2.console.aws.amazon.com/codecatalyst/home?region=us-west-2\$1/](https://us-west-2.console.aws.amazon.com/codecatalyst/home?region=us-west-2#/).
1. Navigate to the page for your space. Choose **Edit SSO**. Choose the SSO groups you want to add to your space.
1. To view more information in IAM Identity Center, choose **IAM Identity Center**.
# Adding the **Space administrator** role to SSO users in a space
You can use the Amazon CodeCatalyst page in the AWS Management Console to assign the **Space administrator** role to individual users in your SSO groups. You cannot directly add or remove users in your space in CodeCatalyst. You must have already worked with your Identity federation administrator to create the SSO users and groups for your instance in IAM Identity Center. CodeCatalyst syncs on a regular basis with the IAM Identity Center identity store with the latest directory status for your space members.
**Note**
Users or groups that are added to IAM Identity Center assignments usually appear in CodeCatalyst within two hours. Depending on the amount of data being synchronized, this process might take longer.
You must have the **Space administrator** role and access to the billing account for your space to view SSO users and groups for your space.
1. Open the Amazon CodeCatalyst page in the AWS Management Console at [https://us-west-2.console.aws.amazon.com/codecatalyst/home?region=us-west-2\$1/](https://us-west-2.console.aws.amazon.com/codecatalyst/home?region=us-west-2#/).
1. Navigate to the page for your space. Choose **Edit IAM Identity Center**.
1. Choose the individual users that you want to grant the **Space administrator** role for your space.
1. To view more information in IAM Identity Center, choose **IAM Identity Center**.
# Deleting a space that supports identity federation
You can delete a space that supports identity federation when you no longer need it.
**Note**
Deleting the space will delete all projects and resources in the space. Deleting the space will remove the associated SSO users and groups from the space.
You must have the **Space administrator** role and access to the billing account for your space to view SSO users and groups for your space.
**To delete a space that supports identity federation**
1. Open the Amazon CodeCatalyst page in the AWS Management Console at [https://us-west-2.console.aws.amazon.com/codecatalyst/home?region=us-west-2\$1/](https://us-west-2.console.aws.amazon.com/codecatalyst/home?region=us-west-2#/).
1. On the page for your space, choose **Delete**.
**Tip**
Make sure you are signed in to the AWS Management Console with the AWS account that will be the specified billing account for your space.
1. Choose **Delete**.
1. You can retain the previously associated Identity Center application or delete it.
# Administering Identity Center applications
An *Identity Center application* is an association between your CodeCatalyst space and IAM Identity Center. The Identity Center application allows users from your company directory to sign in to CodeCatalyst, so your application name will represent your company and will be visible for selection as an option where users from a workforce directory will access CodeCatalyst. As part of creating a space that supports identity federation, you will choose or create the Identity Center application that will be associated with your space. You can associate multiple spaces with a single Identity Center application. When setting up the Identity Center application for CodeCatalyst, note that the application name must be unique across CodeCatalyst and your IAM Identity Center instances. This uniqueness requirement helps prevent confusion and ensures proper identification of different applications. This unique name is primarily for administrative purposes within IAM Identity Center and doesn't affect the functionality of CodeCatalyst.
**Note**
The name for your Identity Center application must be globally unique. In addition, since the name will be viewable for signing in and on certain pages in CodeCatalyst, choose a name that will suitably relate to your company for users signing in.
You can manage this application and its association with your space in the Amazon CodeCatalyst page in the AWS Management Console. For information about creating your application, see [Creating a space for identity federation](setting-up-federation-space-create.md).
**Important**
Dev Environments aren't available for users in spaces where Active Directory is used as the identity provider. When planning a space where the identity provider will be Active Directory, note that users will not be able to use Dev Environments. For more information, see [I can't create a Dev Environment when I'm signed in to CodeCatalyst using a single sign-on account](https://docs.aws.amazon.com/codecatalyst/latest/userguide/devenvironments-troubleshooting.html#troubleshoot-create-dev-env-idprovider).
| Topic | Description |
| --- | --- |
| [Viewing Identity Center application details](managing-federation-application-view.md) | This topic describes how to view the space name, display name, and application name of your Identity Center application. You can also view the users to whom you have assigned the **Space administrator** role, and view the SSO groups that you have added to your space. |
| [Editing Identity Center application details](managing-federation-application-edit.md) | This topic describes how to edit the SSO groups assigned to your space, how to assign additional administrators to your space, and how to make updates to your connected groups. |
| [Associating a space to your Identity Center application](managing-federation-application-associate.md) | This topic describes how to connect a CodeCatalyst space to an Identity Center application. |
| [Disassociating an Identity Center application from a space](managing-federation-application-disassociate.md) | This topic describes how to disconnect a CodeCatalyst space from an Identity Center application. You can reconnect the application later, or associate it with another space. |
# Viewing Identity Center application details
You can view the details for the space associated with your Identity Center application.
**Note**
Users or groups that are added to IAM Identity Center assignments usually appear in CodeCatalyst within two hours. Depending on the amount of data being synchronized, this process might take longer.
**To view space and Identity Center application details**
1. Open the Amazon CodeCatalyst page in the AWS Management Console at [https://us-west-2.console.aws.amazon.com/codecatalyst/home?region=us-west-2\$1/](https://us-west-2.console.aws.amazon.com/codecatalyst/home?region=us-west-2#/).
1. Choose **IAM Identity Center**. On the **IAM Identity Center** page, under **Application Enabled Spaces**, view the spaces enabled for SSO and associated with your application.
**Tip**
Make sure you are signed in to the AWS Management Console with the AWS account that will be the specified billing account for your space.
1. In **Space name**, view the name for your space.
1. In **Display name**, view the name that displays on the sign-in page for your space.
1. In **Application name**, view the name of your Identity Center application.
1. In **Space administrators**, view the users that you have assigned the **Space administrator** role for your space. These are members of the SSO group who have individual permissions in CodeCatalyst.
1. In **Connected groups**, view the SSO groups that you have added to your space. The users in these groups can be viewed in the member lists in your CodeCatalyst space, projects, and teams.
1. To make updates to your connected groups, choose **Edit Identity Center application**. You will be taken to IAM Identity Center where you can work with your Identity federation administrator to configure SSO users and groups for your instance in IAM Identity Center.
# Editing Identity Center application details
You can edit the details for your Identity Center application, such as choosing SSO users and groups that are available in IAM Identity Center.
**Note**
Users or groups that are added to IAM Identity Center assignments usually appear in CodeCatalyst within two hours. Depending on the amount of data being synchronized, this process might take longer.
**To edit space and Identity Center application details**
1. Open the Amazon CodeCatalyst page in the AWS Management Console at [https://us-west-2.console.aws.amazon.com/codecatalyst/home?region=us-west-2\$1/](https://us-west-2.console.aws.amazon.com/codecatalyst/home?region=us-west-2#/).
1. Choose **IAM Identity Center**. On the **IAM Identity Center** page, under **Application Enabled Spaces**, view the spaces enabled for SSO and associated with your application.
**Tip**
Make sure you are signed in to the AWS Management Console with the AWS account that will be the specified billing account for your space.
1. Choose your space from the list, and then choose **Edit space**,
1. On the **Edit assigned users and groups** page, view your application details.
1. In **Groups connected to this space**, choose the SSO groups that you want to add to your space. The users in these groups can be viewed in the member lists in your CodeCatalyst space, projects, and teams.
1. Under **Space administrators**, in **Assign additional administrators**, choose the users to which you want to assign the **Space administrator** role for your space. These are members of the SSO group who have individual permissions in CodeCatalyst.
1. To make updates to your connected groups, choose **Manage in IAM Identity Center**. You will be taken to IAM Identity Center where you can work with your Identity federation administrator to configure SSO users and groups for your instance in IAM Identity Center.
# Associating a space to your Identity Center application
You can associate a space with your CodeCatalyst Identity Center application. You must have already competed the prerequisites for setting up identity federation in AWS Organizations and IAM Identity Center.
**To associate a space to an Identity Center application**
1. Open the Amazon CodeCatalyst page in the AWS Management Console at [https://us-west-2.console.aws.amazon.com/codecatalyst/home?region=us-west-2\$1/](https://us-west-2.console.aws.amazon.com/codecatalyst/home?region=us-west-2#/).
1. Choose **IAM Identity Center**. On the **IAM Identity Center** page, under **Application Enabled Spaces**, view the spaces enabled for SSO and associated with your application.
**Tip**
Make sure you are signed in to the AWS Management Console with the AWS account that will be the specified billing account for your space.
1. Under **Application Enabled Spaces**, choose **Connect space**. On the **Choose or create a CodeCatalyst space** page, choose the space that you want to associate with your application, or you can choose to create a new space.
# Disassociating an Identity Center application from a space
You can disassociate the Identity Center application that is associated with your CodeCatalyst space. You can reassociate the Identity Center application later, or you can associate the Identity Center application to another space.
**Note**
If you delete the identity store in IAM Identity Center, then the Identity Center application is automatically disassociated from the CodeCatalyst space.
1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).
1. Choose **IAM Identity Center**. On the **IAM Identity Center** page, under **Application Enabled Spaces**, view the spaces enabled for SSO and associated with your application.
**Tip**
Make sure you are signed in to the AWS Management Console with the AWS account that will be the specified billing account for your space.
1. Under **Application Enabled Spaces**, choose the space that you want to disassociate from your application. Choose **Disassociate space from application**.
1. Enter the confirmation for disassociating the application, and then choose **Disassociate**.
**Important**
This action will remove all SSO users as members in the CodeCatalyst space.
The Identity Center application will be available to be reassociated with this space or another space when needed.