# Configure IAM Identity Center
Log in to the account where IAM Identity Center is enabled (usually the **Org Management** account) and the Innovation Sandbox IDC stack is deployed. Make sure that you are in the correct home Region.
In this section, you will:
+ [Create a SAML 2.0 application](create-saml-app.md)
+ [Map application attributes](map-application-attributes.md)
+ [Assign groups to your application](assign-groups-application.md)
+ [Assign users to groups](assign-users-groups.md)
# Create a SAML 2.0 application
In this step, you federate your Identity Provider (IdP) to IAM Identity Center through SAML 2.0, and use IAM Identity Center to manage user access to the solution.
1. Log in to the [AWS IAM Identity Center console](https://console.aws.amazon.com/singlesignon/).
1. From the left pane, under **Application assignments**, choose **Applications**.
1. On the Applications page, on the **Customer managed** tab, choose **Add application**.
1. On the **Select application type** page, under **Setup preference**, choose **I have an application I want to set up**.
1. Under **Application type**, choose **SAML 2.0**, and choose **Next**.
1. On the **Configure application** page, under **Configure application**,
+ Enter a **Display name** for the application, such as *MyISBApp*,
+ Enter a description.
1. Under **Application metadata**, choose **Manually type your metadata values**, and provide the **Application ACS URL** and **Application SAML audience** values.
+ **Application ACS URL**: The URL of the CloudFront distribution (or alternate domain name associated with the distribution) from the Compute stack output appended with `/api/auth/login/callback`. For example: `/api/auth/login/callback` where `ISB_WEB_URL` is the CloudFront Distribution URL or alternate domain (for example: https://duyXXXXXXXeh.cloudfront.net/api/auth/login/callback). To view the Compute stack outputs, navigate to the **AWS CloudFormation > Stacks > Outputs** tab, in the account where you have deployed the Compute stack.
+ **Application SAML audience**: The audience used to identify the service provider (in this case, Innovation Sandbox web application) configured to consume the SAML assertion. For example: `Isb--Audience`.
1. Choose **Submit**. The Application details page displays.
# Map application attributes
In this step, you map application attributes to the user attribute in IAM Identity Center, using the email address for authentication.
1. From the list of applications, choose the SAML application you set up in the previous step.
1. Under **Actions**, choose **Edit attribute mappings**.
1. For the *Subject* **User attribute in the application** row, fill in the two corresponding fields:
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/innovation-sandbox-on-aws/map-application-attributes.html)
1. Choose **Save Changes**.
**Note**
If you have configured IAM Identity Center to use an external identity provider, you need to ensure that the attribute mappings from external identity provider to IAM Identity Center are configured correctly. For more information refer to [Configuring an external identity provider](configuring-external-idp.md).
# Assign groups to your application
**Note**
If you have configured your IAM Identity Center instance to use an external identity provider, you will need to manage user groups through that external provider instead of creating them directly in IAM Identity Center.
The IDC stack creates these three user groups in IAM Identity Center (where `NAMESPACE` is the namespace parameter passed to the stack):
+ `_IsbUsersGroup`
+ `_IsbManagersGroup`
+ `_IsbAdminsGroup`
To assign groups to your application:
1. Sign in to the [AWS IAM Identity Center console](https://console.aws.amazon.com/singlesignon/).
1. From the left pane, under **Application assignments**, choose **Applications**.
1. On the Applications page, from the **Customer managed** tab, choose the application you created in the previous steps.
1. Choose **Assigned users and groups**, and choose the three groups. Manually enter the namespace to find the group, as they are not listed by default.
![\[Assign users and groups\]](http://docs.aws.amazon.com/solutions/latest/innovation-sandbox-on-aws/images/assign-user-groups.png)
1. Choose **Done** to assign these groups to your application.
# Assign users to groups
As you add new users to IAM Identity Center, you will have to assign them to one of the groups for them to access Innovation Sandbox.
**Note**
If you have configured IAM Identity Center to use an external identity provider you must assign group access to users through the external identity provider itself and have the changes synced over to your IAM Identity Center instance.
1. Sign in to the [AWS IAM Identity Center console](https://console.aws.amazon.com/singlesignon/).
1. From the left pane, choose **Users**.
1. On the Users page, choose the user name for the user you want to add to a group. The User details page displays.
1. On the **Groups** tab, choose **Add user to groups**.
1. Choose the groups you want to add the user to. You can choose from one of these relevant groups, depending on user role:
+ `_IsbUsersGroup`
+ `_IsbManagersGroup`
+ `_IsbAdminsGroup`
1. Choose **Add user to group**.
Alternatively, you can choose a group and add users to the group.
1. From the left pane, choose **Groups**.
1. On the Groups page, choose the group name you want to add users to. The Group details page displays. You can choose one of these relevant groups:
+ `_IsbUsersGroup`
+ `_IsbManagersGroup`
+ `_IsbAdminsGroup`
1. On the **Users** tab, choose **Add users to group**.
1. Choose the users you want to add to this group.
1. Choose **Add users to group**.
For more information, refer to the [Manage identities in IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-sso.html) topic.