Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Authentication in IAM Identity Center

PDF
RSS
Focus mode
Authentication in IAM Identity Center - AWS IAM Identity Center
Authentication sessions

A user signs in to the AWS access portal using their user name. When they do, IAM Identity Center redirects the request to the IAM Identity Center authentication service based on the directory associated with the user email address. Once authenticated, users have single sign-on access to any of the AWS accounts and third-party software-as-a-service (SaaS) applications that show up in the portal without additional sign-in prompts. This means that users no longer need to keep track of multiple account credentials for the various assigned AWS applications that they use on a daily basis.

Authentication sessions

There are two types of authentication sessions maintained by IAM Identity Center: one to represent the users’ sign in to IAM Identity Center, and another to represent the users’ access to AWS managed applications, such as Amazon SageMaker AI Studio or Amazon Managed Grafana. Each time a user signs in to IAM Identity Center, a sign in session is created for the duration configured in IAM Identity Center, which can be up to 90 days. For more information, see Configure the session duration of the AWS access portal and IAM Identity Center integrated applications. Each time the user accesses an application, the IAM Identity Center sign in session is used to create an IAM Identity Center application session for that application. IAM Identity Center application sessions have a refreshable 1-hour lifetime – that is, IAM Identity Center application sessions are automatically refreshed every hour as long as the IAM Identity Center sign in session from which they were obtained is still valid. If the user signs out using the AWS access portal, the user's sign in session ends. The next time application refreshes its session, the application session will end.

When the user uses IAM Identity Center to access the AWS Management Console or AWS CLI, the IAM Identity Center sign in session is used to obtain an IAM session, as specified in the corresponding IAM Identity Center permission set (more specifically, IAM Identity Center assumes an IAM role, which IAM Identity Center manages, in the target account). IAM sessions persist for the time specified for the permission set, unconditionally.

Note

IAM Identity Center does not support SAML Single Logout initiated by an identity provider that acts as your identity source, and it does not send SAML Single Logout to SAML applications that use IAM Identity Center as an Identity provider.

When you disable or delete a user in IAM Identity Center, that user will immediately be prevented from signing in to create new IAM Identity Center sign in sessions. When you revoke a user sign-in session, the user must sign-in again.

When an IAM Identity Center administrator deletes or disables a user, the user will immediately lose access to the AWS access portal. Existing application sessions will lose access within 30 minutes following deletion or being disabled. In some cases, it can take up to 1 hour for existing applications to lose access.

Any existing IAM role sessions will continue based on the duration configured in the IAM Identity Center permission set which can be configured up to 12 hours. This behavior also applies when a user session is revoked or the user signs out.

The following table summarizes IAM Identity Center behaviors:

User experience / system behavior Time after user disabled / deleted Time after user session revoked / signs out
User can no longer sign in IAM Identity Center Effective immediately Not applicable
User can no longer start new application or IAM role sessions via IAM Identity Center Effective immediately Effective immediately
User can no longer access any applications (all application sessions are terminated by the administrator or the user signs out) Up to 30 minutes * Up to 30 minutes *
User can no longer access any AWS accounts through IAM Identity Center Up to 12 hours (up to 1 hour for IAM Identity Center sign in session expiry, plus up to 12 hours for administrator-configured IAM role session expiry per the IAM Identity Center session duration settings for the permission set) Up to 12 hours (up to 1 hour for IAM Identity Center sign in session expiry, plus up to 12 hours for administrator-configured IAM role session expiry per the IAM Identity Center session duration settings for the permission set)

* In some cases, for example service disruption, it can take up to an hour to lose application access.

For more information about sessions, see Set session duration for AWS accounts.

Topics

    On this page

    PrivacySite termsCookie preferences
    © 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.