AWS Security Blog

Get ready for upcoming changes in the AWS IAM Identity Center user sign-in process

September 12, 2022: This blog post has been updated to reflect the new name of AWS Single Sign-On (SSO) – AWS IAM Identity Center. Read more about the name change here.

October 21, 2020: This post has been updated to reflect the change in date for updates to AWS IAM Identity Center sign-in process from early October to early November.


To improve security, enhance user experience, and address compatibility with future AWS Identity changes, AWS IAM Identity Center (IAM Identity Center) is making changes to the sign-in process that will affect some AWS IAM Identity Center customers. The changes will go into effect globally in early November 2020.

  • The AWS IAM Identity Center sign-in pages are moving to a new top-level DNS domain: signin.aws. To prepare for the change, if your network and security administrators currently filter access to specific Amazon Web Service (AWS) domains or sign-in endpoints, they must add the new sign-in domain to their allow-lists.
  • The AWS IAM Identity Center user experience for sign-in, password change, and user invitation flows will change if you use the AWS IAM Identity Center built-in identity store or Microsoft Active Directory. No action is required from you as an AWS IAM Identity Center administrator, but you might need to prepare your users by updating training materials and documentation.

What is AWS IAM Identity Center?

AWS IAM Identity Center makes it easier to centrally manage access to multiple AWS accounts and business applications. It also enables you to provide users with IAM Identity Center access to all their assigned accounts and applications. With AWS IAM Identity Center, you can use the AWS IAM Identity Center identity store to create and manage user identities or connect to your existing identity source, including Microsoft Active Directory, Okta Universal Directory, and Azure Active Directory. To learn more, visit the AWS IAM Identity Center page.

What is AWS IAM Identity Center user portal?

The AWS IAM Identity Center user portal is a central place where your users can see and access their assigned AWS accounts, roles, and applications. You provide an AWS IAM Identity Center user portal URL to your users where they sign in to AWS accounts and services and to integrated AWS and third-party applications.

While signing in, users first navigate to the user portal URL: https://[yourdirectory].awsapps.com/start. If you’re using the AWS IAM Identity Center identity store or Microsoft Active Directory, users are presented with the page at https://[yourdirectory].awsapps.com/login to sign in. If you’re using an external identity provider (IdP), users are redirected to the AWS IAM Identity Center page at https://[yourdirectory].awsapps.com/login first, and from there are redirected to the external IdP sign-in page. After successful authentication, users are redirected back to the AWS IAM Identity Center SAML endpoint with a SAML response.

You can also implement an external IdP-initiated SAML flow, providing users with an IdP user-portal URL. From there, users are redirected to the AWS IAM Identity Center SAML endpoint and then to the AWS IAM Identity Center user portal without accessing the AWS IAM Identity Center URL (https://[yourdirectory].awsapps.com/login).

What’s changing and how to prepare?

New AWS IAM Identity Center sign-in domain

The new AWS IAM Identity Center sign-in domain will affect only AWS IAM Identity Center customers who use web content filtering solutions such as next-generation firewalls (NGFW) or secure web gateways (SWG) to control access to AWS sign-in domains. In November, 2020, AWS IAM Identity Center will move its sign-in page from https://[yourdirectory].awsapps.com/login to https://[yourregion].signin.aws/platform/login. If you control access to specific AWS domains, you must add the new domain—signin.aws—to your allow-list.

After the change, your users will first navigate to an AWS IAM Identity Center URL—https://[yourdirectory].awsapps.com/start then https://[yourdirectory].awsapps.com/login—which will stay on the awsapps.com domain. Your users will then be redirected to the new sign-in page at https://[yourregion].signin.aws/platform/login, residing on a new signin.aws top-level DNS domain. There, depending on your AWS IAM Identity Center identity store configuration, users will either provide their sign-in credentials or be redirected to your external IdP sign-in page for authentication.

Note that adding the signin.aws domain to your web content filtering allow-lists before the change won’t impact the current system behavior. We encourage you to add the new sign-in domain as soon as possible.

No action is required if you don’t explicitly control allowed sign-in domains.

Note: If your users are using a password manager to sign in to AWS IAM Identity Center, and you’re using AWS IAM Identity Center native identity store or Microsoft Active Directory, password manager’s functionality may also be affected by the new signin.aws domain. You may need to prepare your users to update their password manager configuration.

Changes in AWS IAM Identity Center user experience

The user experience changes will affect only AWS IAM Identity Center customers who use the AWS IAM Identity Center native identity store or Microsoft Active Directory as their AWS IAM Identity Center identity source. The new user experience will go into effect automatically and won’t require any action by you as an AWS IAM Identity Center administrator. However, you should be aware of the change, and might need to update any related documentation and user training materials.

For usability and enhanced security, the new AWS IAM Identity Center sign-in will split entry of the username and password into two steps, as shown in Figure 1. This is the only change to the AWS IAM Identity Center sign-in flow user experience.

Figure 1: New AWS IAM Identity Center sign-in

Figure 1: New AWS IAM Identity Center sign-in

Another change will affect the invite and password change flows. The current flows let users sign in automatically after updating or setting a new password. For security reasons, the new flows will require users to sign in again with their new password.

The user experience changes won’t affect customers using AWS IAM Identity Center with external IdPs.

Need more assistance?

AWS IQ enables AWS customers to find, securely collaborate with, and pay AWS Certified third-party experts for on-demand project work. Visit the AWS IQ page for information about how to submit a request, get responses from experts, and choose the expert with the right skills and experience. To start a request, sign in to your console and select Get Started with AWS IQ to start a request.

If you have any questions or issues, contact AWS Support or your technical account manager (TAM). If you have feedback about this post, submit comments in the Comments section below.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.

Author

Yuri Duchovny

Yuri is a New York-based Solutions Architect specializing in cloud security, identity, and compliance. He supports cloud transformations at large enterprises, helping them make optimal technology and organizational decisions. Prior to his AWS role, Yuri’s areas of focus included application and networking security, DoS, and fraud protection. Outside of work, he enjoys skiing, sailing, and traveling the world.