Create a SAML 2.0 application

In this step, you federate your Identity Provider (IdP) to IAM Identity Center through SAML 2.0, and use IAM Identity Center to manage user access to the solution.

Note: Log in to the account where the IAM Identity Center is enabled (usually the Org Management account) and the Sandbox Studio IDC stack is deployed. Make sure that you are in the correct home Region.

Log into the AWS IAM Identity Center console.
From the left pane, under Application assignments, choose Applications.
On the Applications page, on the Customer managed tab, choose Add application.
On the Select application type page, under Setup preference, choose I have an application I want to set up.
Under Application type, choose SAML 2.0, and choose Next.
On the Configure application page, under Configure application,
- Type in a Display name for the application, such as MyISBApp,
- Type in a description.
Under Application metadata, choose Manually type your metadata values, and provide the Application ACS URL and Application SAML audience values.
- Application ACS URL: URL of the CloudFront distribution (or alternate domain name associated with the distribution) from the Compute stack output appended with /api/auth/login/callback, ie, <ISB_WEB_URL>/api/auth/login/callback where ISB_WEB_URL is the CloudFront Distribution Url or alternate domain. For example: https://duyXXXXXXXeh.cloudfront.net/api/auth/login/callback. To view the Compute stack outputs, navigate to the AWS CloudFormation > Stacks > Outputs tab, in the account where you have deployed the Compute stack.
- Application SAML audience: The audience is used to identify the service provider (in this case, Sandbox Studio web application) configured to consume the SAML assertion. For example: isb-<NAMESPACE>-Audience.
Choose Submit. The Application details page displays.

Overview

Features and Benefits

Use cases

Concepts and definitions

Solution Architecture

AWS Well-Architected design considerations

AWS services in this solution

Account Cleaner components

Account lifecycle - TBCompleted

Supported AWS Regions

Running Costs

Security

Quotas

Choosing the deployment accounts

Prerequisites

AWS CloudFormation templates

Prepare to Launch the Stack

Step 1: Deploy the AccountPool stack

Step 2: Deploy the IDC stack

Step 3: Deploy the Data stack

Step 4: Deploy the Compute stack

Step 5: ?????

Create a SAML 2.0 application

Map application attributes

Assign groups to your application

Assign users to groups

Update configuration using AWS AppConfig

Update values in AWS Secrets Manager

Logging into the web UI

User Guide

Manager Guide

Administrator Guide

Monitoring the solution

Software Licence

Investigating accounts in Quarantine state

Resolving clean-up failures

End leases and eject accounts

Uninstall solution stacks

Resources retained after deletion

Delete the custom application in IAM Identity Center

Revision 1.0 - 18/07/2025

Sandbox Studio Terms and Conditions

Running the wizard

Prerequisite #1: AWS Organizations

Prerequisite #2: Service Control Policies (SCPs)

Prerequisite #3: IAM Identity Center

Prerequisite #4: Resource Access Manager

Prerequisite #5: Cloudformation Stacksets

Prerequisite #6: Cost Explorer

Prerequisite #7: IAM Identity Center Custom SAML Application

Prerequisite #8: Lambda Concurrency Limit

Prerequisite #9: Simple Email Service

Create a SAML 2.0 application