# Setting up customer managed SAML 2.0 applications
<a name="customermanagedapps-saml2-setup"></a>

If you use customer managed applications that support [SAML 2.0](https://wiki.oasis-open.org/security), you can federate your IdP to IAM Identity Center through SAML 2.0 and use IAM Identity Center to manage user access to those applications. You can select a SAML 2.0 application from a catalog of commonly used applications in the IAM Identity Center console, or you can set up your own SAML 2.0 application. 

**Note**  
If you have customer managed applications that support OAuth 2.0 and your users need access from these applications to AWS services, you can use trusted identity propagation. With trusted identity propagation, a user can sign in to an application, and that application can pass the users’ identity in requests to access data in AWS services.

**Topics**
+ [Set up an application from the IAM Identity Center application catalog](saasapps.md)
+ [Set up your own SAML 2.0 application](customermanagedapps-set-up-your-own-app-saml2.md)

# Set up an application from the IAM Identity Center application catalog
<a name="saasapps"></a>

You can use the application catalog in the IAM Identity Center console to add many commonly used SAML 2.0 applications that work with IAM Identity Center. Examples include Salesforce, Box, and Microsoft 365.

Most applications provide detailed information about how to set up the trust between IAM Identity Center and the application's service provider. This information is available in the configuration page for the application, after you select the application in the catalog. After you configure the application, you can assign access to users or groups in IAM Identity Center as needed.

Use this procedure to set up a SAML 2.0 trust relationship between IAM Identity Center and your application's service provider.

Before you begin this procedure, it is helpful to have the service provider's metadata exchange file so that you can more efficiently set up the trust. If you do not have this file, you can still use this procedure to configure the trust it manually.

**To add and configure an application from the application catalog**

1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon).

1. Choose **Applications**.

1. Choose the **Customer managed** tab.

1. Choose **Add application**.

1. On the **Select application type** page, under **Setup preference**, choose **I want to select an application from the catalog**.

1. Under **Application catalog**, start typing the name of the application that you want to add in the search box.

1. Choose the name of the application from the list when it appears in the search results, and then choose **Next**.

1. On the **Configure application** page, the **Display name** and **Description** fields are prepopulated with relevant details for the application. You can edit this information.

1. Under **IAM Identity Center metadata**, do the following:

   1. Under **IAM Identity Center SAML metadata file**, choose **Download** to download the identity provider metadata.

   1. Under **IAM Identity Center certificate**, choose **Download certificate** to download the identity provider certificate.
**Note**  
You will need these files later when you set up the application from the service provider's website. Follow the instructions from that provider. 

1. (Optional) Under **Application properties**, you can specify the **Application start URL**, **Relay state**, and **Session duration**. For more information, see [Understand application properties in the IAM Identity Center console](appproperties.md).

1. Under **Application metadata**, do one of the following: 

   1. If you have a metadata file, choose **Upload application SAML metadata file**. Then, select **Choose file** to find and select the metadata file.

   1. If you do not have a metadata file, choose **Manually type your metadata values**, and then provide the **Application ACS URL** and **Application SAML audience** values.

1. Choose **Submit**. You're taken to the details page of the application that you just added.

# Set up your own SAML 2.0 application
<a name="customermanagedapps-set-up-your-own-app-saml2"></a>

You can set up your own applications that allow identity federation using SAML 2.0 and add them to IAM Identity Center. Most of the steps for setting up your own SAML 2.0 applications are the same as setting up a SAML 2.0 application from the application catalog in the IAM Identity Center console. However, you must also provide additional SAML attribute mappings for your own SAML 2.0 applications. These mappings enable IAM Identity Center to populate the SAML 2.0 assertion correctly for your application. You can provide this additional SAML attribute mapping when you set up the application for the first time. You can also provide SAML 2.0 attribute mappings on the application details page in the IAM Identity Center console.

Use the following procedure to set up a SAML 2.0 trust relationship between IAM Identity Center and your SAML 2.0 application's service provider. Before you begin this procedure, make sure that you have the service provider's certificate and metadata exchange files so that you can finish setting up the trust.

**To set up your own SAML 2.0 application**

1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon).

1. Choose **Applications**.

1. Choose the **Customer managed** tab.

1. Choose **Add application**.

1. On the **Select application type** page, under **Setup preference**, choose **I have an application I want to set up**.

1. Under **Application type**, choose **SAML 2.0**.

1. Choose **Next**.

1. On the **Configure application** page, under **Configure application**, enter a **Display name** for the application, such as **MyApp**. Then, enter a **Description**.

1. Under **IAM Identity Center metadata**, do the following:

   1. Under **IAM Identity Center SAML metadata file**, choose **Download** to download the identity provider metadata.

   1. Under **IAM Identity Center certificate**, choose **Download** to download the identity provider certificate.
**Note**  
You will need these files later when you set up the custom application from the service provider's website. 

1. (Optional) Under **Application properties**, you can also specify the **Application start URL**, **Relay state**, and **Session duration**. For more information, see [Understand application properties in the IAM Identity Center console](appproperties.md).

1. Under **Application metadata**, choose **Manually type your metadata values**. Then, provide the **Application ACS URL** and **Application SAML audience** values.

1. Choose **Submit**. You're taken to the details page of the application that you just added.