# Enable IAM Identity Center
<a name="enable-identity-center"></a>

When you enable IAM Identity Center you choose an AWS IAM Identity Center instance type to enable. An instance of a service is a single deployment of a service within your AWS environment. There are two types of instances available for IAM Identity Center: organization instances and account instances. The instance types available for you to enable depend upon the account type you are signed into.

The following list identifies the type of IAM Identity Center instances you can enable for each type of AWS account:
+ **Your AWS Organizations management account (recommended)** – Required to create an [organization instance](organization-instances-identity-center.md) of IAM Identity Center. Use an organization instance for multi-account permissions and application assignments across the organization. You can replicate this instance type to additional Regions for enhanced resiliency of account access and flexibility in the choice of AWS application deployment Regions.
+ **Your AWS Organizations member account** – Use to create an [account instance](account-instances-identity-center.md) of IAM Identity Center to enable application assignments within that member account. One or more accounts with a member level instance can exist in an organization.
+ **A standalone AWS account** – Use to create an [organization instance](organization-instances-identity-center.md) or [account instance](account-instances-identity-center.md) of IAM Identity Center. The standalone AWS account isn't managed by AWS Organizations. You can associate only one instance of IAM Identity Center with a standalone AWS account and use that instance for application assignments within that standalone AWS account.

**Important**  
The organization management account can control whether [organization member accounts can create account instances of IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/control-account-instance.html) by using a Service Control Policy.  
If you use a free tier account, creating an AWS organization automatically upgrades your account to a paid plan with pay-as-you-go pricing. Your free tier credits expire immediately. For more information, see [AWS Free Tier FAQs](https://aws.amazon.com/free/free-tier-faqs/).

For a comparison of the different capabilities provided by the different instance types, see [Organization and account instances of IAM Identity Center](identity-center-instances.md).

Before enabling IAM Identity Center, we recommend you review the [IAM Identity Center prerequisites and considerations](identity-center-prerequisites.md).

## To enable an instance of IAM Identity Center
<a name="to-enable-identity-center-instance"></a>

Choose the tab for the type of IAM Identity Center instance you want to enable, either an organization or account instance:

------
#### [ Organization (recommended) ]

1. Do one of the following to sign in to the AWS Management Console.
   + **New to AWS (root user)** – Sign in as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password.
   + **Already using AWS with a standalone AWS account (IAM credentials)** – Sign in using your IAM credentials with administrative permissions.
   + **Already using AWS Organizations (IAM credentials)** – Sign in using your management account credentials.

1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon).

1. (Optional) If you want to use a customer managed KMS key for encryption at rest rather than the default AWS managed key, configure the customer managed key in the **Key for encrypting IAM Identity Center data at rest** section. For more information, refer to [Implementing customer managed KMS keys in AWS IAM Identity Center](identity-center-customer-managed-keys.md).
**Important**  
Perform this step only if you've configured the necessary permissions for use of the KMS customer managed key. Without proper permissions, this step may fail or disrupt IAM Identity Center administration and AWS managed applications.

1. Under **Enable IAM Identity Center**, choose **Enable**.

1. On the **Enable IAM Identity Center with AWS Organizations** page, review the information and then select **Enable** to complete the process. 
**Note**  
AWS Organizations can have IAM Identity Center enabled only in a single AWS Region. After enabling IAM Identity Center, if you need to change the Region that IAM Identity Center is enabled in, you must [delete](delete-config.md) the current instance and create an instance in the other Region. 

After enabling your organization instance we recommend that you do the following steps to finish setting up your environment:
+ Confirm that you are using the identity source of your choice. If you already have an assigned identity source, you can continue to use it. For more information, see [Confirm your identity sources in IAM Identity Center](confirm-identity-source.md).
+ Register a member account as a delegated administrator. For more information, see [Delegated administration](delegated-admin.md).
+ IAM Identity Center provides you an access portal to AWS resources. If you filter access to specific AWS domains or URL endpoints by using a web content filtering solution such as next-generation firewalls (NGFW) or Secure Web Gateways (SWG), see [Update firewalls and gateways to allow access to the AWS access portal](enable-identity-center-portal-access.md).

------
#### [ Account ]

1. Do one of the following to sign in to the AWS Management Console.
   + **New to AWS (root user)** – Sign in as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password.
   + **Already using AWS (IAM credentials)** – Sign in using your IAM credentials with administrative permissions.
   + **Already using AWS Organizations (IAM credentials)** – Sign in using your member account administrative credentials.

1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon).

1. If you are new to AWS or have a standalone AWS account, under **Enable IAM Identity Center**, choose **Enable**.

   You see the **Enable IAM Identity Center with AWS Organizations** page. We recommend this option, but it is not required.

   Select the link **enable an account instance of IAM Identity Center**.

1. If you are an administrator of an AWS Organizations member account, under **Enable an account instance of IAM Identity Center**, select **Enable an account instance**.

1. On the **Enable an account instance of IAM Identity Center** page, review the information and *optionally* add tags that you want to associate with this account instance. Then select **Enable** to complete the process.
**Note**  
If your AWS account is a member of an organization, there might be restrictions on your ability to enable an account instance of IAM Identity Center.  
If your organization enabled IAM Identity Center before November 15, 2023 the ability for member accounts to create account instances is disabled by default and must be enabled by the management account of the organization.
If your organization enabled IAM Identity Center after November 15, 2023 the ability for member account to create account instances is enabled by default. However, service control policies can be used to prevent the creation of account instances of IAM Identity Center within an organization. 
For more information, see [Permit account instance creation in member accounts](enable-account-instance-console.md) and [Use Service Control Policies to control account instance creation](control-account-instance.md).

------

# Confirm your identity sources in IAM Identity Center
<a name="confirm-identity-source"></a>

Your identity source in IAM Identity Center defines where your users and groups are managed. After you enable IAM Identity Center, confirm that you are using the identity source of your choice. If you already have an assigned identity source, you can continue to use it. 

If you are already managing users and groups in Active Directory or an external IdP, we recommend that you consider connecting this identity source when you enable IAM Identity Center and choose your identity source. This should be done before you create any users and groups in the default Identity Center directory and make any assignments.

 If you are already managing users and groups in one identity source in IAM Identity Center, changing to a different identity source might remove all user and group assignments that you configured in IAM Identity Center. If this occurs, all users, including the administrative user in IAM Identity Center, will lose single sign-on access to their AWS accounts and applications. For more information, see [Considerations for changing your identity source](manage-your-identity-source-considerations.md).

**To confirm your identity source**

1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon).

1. On the **Dashboard** page, below the **Recommended setup steps** section, choose **Confirm your identity source**. You can also access this page by choosing **Settings** and choosing the **Identity source** tab.

1. There is no action if you want to keep your assigned identity source. If you prefer to change it, choose **Actions**, and then choose **Change identity source**.

You can choose one of the following as your identity source: 

**Identity Center directory**  
When you enable IAM Identity Center for the first time, it is automatically configured with an Identity Center directory as your default identity source. If you aren't already using another external identity provider, you can get started creating your users and groups, and assign their level of access to your AWS accounts and applications. For a tutorial on using this identity source, see [Configure user access with the default IAM Identity Center directory](quick-start-default-idc.md).

**Active Directory**  
If you are already managing users and groups in either your AWS Managed Microsoft AD directory using Directory Service or your self-managed directory in Active Directory (AD), we recommend that you connect that directory when you enable IAM Identity Center. Don't create any users and groups in the default Identity Center directory. IAM Identity Center uses the connection provided by the AWS Directory Service to synchronize user, group, and membership information from your source directory in Active Directory to the IAM Identity Center identity store. For more information, see [Microsoft AD directory](manage-your-identity-source-ad.md).  
IAM Identity Center doesn't support SAMBA4-based Simple AD as an identity source.

**External identity provider**  
For external identity providers (IdPs) such as Okta or Microsoft Entra ID, you can use IAM Identity Center to authenticate identities from the IdPs through the Security Assertion Markup Language (SAML) 2.0 standard. The SAML protocol doesn't provide a way to query the IdP to learn about users and groups. You make IAM Identity Center aware of those users and groups by provisioning them into IAM Identity Center. You can perform automatic provisioning (synchronization) of user and group information from your IdP into IAM Identity Center using the System for Cross-domain Identity Management (SCIM) v2.0 protocol if your IdP supports SCIM. Otherwise, you can manually provision your users and groups by manually entering the user names, email address, and groups into IAM Identity Center.  
For detailed instructions on setting up your identity source, see [IAM Identity Center identity source tutorials](tutorials.md).  
If you plan to use an external identity provider, note that the external IdP, not IAM Identity Center, manages multi-factor authentication (MFA) settings. MFA in IAM Identity Center isn't supported for use by external identity providers. For more information, see [Prompt users for MFA](mfa-getting-started.md).

**Note**  
If you plan to replicate IAM Identity Center to additional Regions, you will need to configure an external identity provider. For more details including the prerequisites, see [Using IAM Identity Center across multiple AWS Regions](multi-region-iam-identity-center.md).

# Update firewalls and gateways to allow access to the AWS access portal
<a name="enable-identity-center-portal-access"></a>

The AWS access portal provides users with single sign-on access to all your AWS accounts and most commonly used cloud applications such as Office 365, Concur, Salesforce, and many more. You can quickly launch multiple applications simply by choosing the AWS account or application icon in the portal. 

**Note**  
AWS managed applications integrate with IAM Identity Center and use it for authentication and directory services, but might not use the AWS access portal for application access.

If you filter access to specific AWS domains or URL endpoints by using a web content filtering solution such as next-generation firewalls (NGFW) or Secure Web Gateways (SWG), you must allowlist the domains and URL endpoints associated with the AWS access portal.

The following list provides the IPv4 and dual-stack domains and URL endpoints to add to your web-content filtering solution allowlists.

**IPv4 allow list**
+ `[Directory ID or alias].awsapps.com`
+ `[Identity Center instance ID].[Region].portal.amazonaws.com`
+ `*.aws.dev`
+ `*.awsstatic.com`
+ `*.console.aws.a2z.com`
+ `oidc.[Region].amazonaws.com`
+ `*.sso.amazonaws.com`
+ `*.sso.[Region].amazonaws.com `
+ `*.sso-portal.[Region].amazonaws.com`
+ `[Region].prod.pr.panorama.console.api.aws/panoramaroute`
+ `[Region].signin.aws`
+ `[Region].signin.aws.amazon.com`
+ `signin.aws.amazon.com`
+ `*.cloudfront.net`
+ `opfcaptcha-prod.s3.amazonaws.com`

**Dual-stack allow list**
+ `[Identity Center instance ID].portal.[Region].app.aws`
+ `*.aws.dev`
+ `*.awsstatic.com`
+ `*.console.aws.a2z.com`
+ `oidc.[Region].api.aws`
+ `sso.[Region].api.aws`
+ `portal.sso.[Region].api.aws`
+ `[Region].sso.signin.aws`
+ `[Region].signin.aws.amazon.com`
+ `signin.aws.amazon.com`
+ `*.cloudfront.net`
+ `cdn.us-east-1.threat-mitigation.aws.amazon.com`
+ `us-east-1.threat-mitigation.aws.amazon.com`
+ `amcs-captcha-prod-us-east-1.s3.dualstack.us-east-1.amazonaws.com`

**Combined allow list (IPv4 \$1 Dual-stack with backward compatibility)**
+ `[Directory ID or alias].awsapps.com`
+ `[Identity Center instance ID].[Region].portal.amazonaws.com`
+ `[Identity Centers instance ID].portal.[Region].app.aws`
+ `*.aws.dev`
+ `*.awsstatic.com`
+ `*.console.aws.a2z.com`
+ `oidc.[Region].amazonaws.com`
+ `oidc.[Region].api.aws`
+ `*.sso.amazonaws.com`
+ `*.sso.[Region].amazonaws.com`
+ `sso.[Region].api.aws`
+ `*.sso-portal.[Region].amazonaws.com`
+ `portal.sso.[Region].api.aws`
+ `[Region].prod.pr.panorama.console.api.aws/panoramaroute`
+ `[Region].signin.aws`
+ `[Region].sso.signin.aws`
+ `[Region].signin.aws.amazon.com`
+ `signin.aws.amazon.com`
+ `*.cloudfront.net`
+ `opfcaptcha-prod.s3.amazonaws.com`
+ `cdn.us-east-1.threat-mitigation.aws.amazon.com`
+ `us-east-1.threat-mitigation.aws.amazon.com`
+ `amcs-captcha-prod-us-east-1.s3.dualstack.us-east-1.amazonaws.com`

## Considerations for allowlisting domains and URL endpoints
<a name="allowlist-considerations"></a>

In addition to the allowlist requirements for the AWS access portal, the other services and applications you use might require allowlisting of domains. 
+ To access AWS accounts, the AWS Management Console, and the IAM Identity Center console from your AWS access portal, you must allowlist additional domains. Refer to [Troubleshooting](https://docs.aws.amazon.com//awsconsolehelpdocs/latest/gsg/troubleshooting.html) in the *AWS Management Console Getting Started Guide* for a list of AWS Management Console domains.
+ To access AWS managed applications from your AWS access portal, you must allowlist their respective domains. Refer to the respective service documentation for guidance. 
+ If you use external software, such as external IdPs (for example, Okta and Microsoft Entra ID), you'll need to include their domains in your allowlists.