Map application attributes

In this step, you map application attributes to the user attribute in IAM Identity Center, using the email address for authentication.

From the list of applications, choose the SAML application we set up in the previous step.
Under Actions, select Edit attribute mappings.
Under the User attribute in the application section, enter the following values corresponding to the Subject.
- For Maps to this string value or user attribute in IAM Identity Center, use ${user:email}.
- For Format, use emailAddress.
Choose Save Changes.

Save application configuration values

Note: This section provides guidance on how to access and save the configuration values for the SAML2.0 application you created in the previous steps. We recommend you save these values, as you will need to use this for the AppConfig configuration in the Hub account. You can also log in to the AWS IAM Identity Center to retrieve these values.

From the list of applications, choose the SAML application set up in the previous step.
Under Actions, select Edit configuration. The Application details display.
Save the following values.

Parameter name	Where can you find this
idpSignInUrl	IAM Identity Center metadata > IAM Identity Center sign-in URL
idpSignOutUrl	IAM Identity Center metadata > IAM Identity Center sign-out URL
webAppUrl	Application metadata > Application ACS URL without the api/auth/login/callback
idpAudience	Application metadata > Application SAML audience
awsAccessPortalUrl	IAM Identity Center > AWS access portal URL
Certificate (download)	IAM Identity Center > IAM Identity Center Certificate

Overview

Features and Benefits

Use cases

Concepts and definitions

Solution Architecture

AWS Well-Architected design considerations

AWS services in this solution

Account Cleaner components

Account lifecycle - TBCompleted

Supported AWS Regions

Running Costs

Security

Quotas

Choosing the deployment accounts

Prerequisites

AWS CloudFormation templates

Prepare to Launch the Stack

Step 1: Deploy the AccountPool stack

Step 2: Deploy the IDC stack

Step 3: Deploy the Data stack

Step 4: Deploy the Compute stack

Step 5: ?????

Create a SAML 2.0 application

Map application attributes

Assign groups to your application

Assign users to groups

Update configuration using AWS AppConfig

Update values in AWS Secrets Manager

Logging into the web UI

User Guide

Manager Guide

Administrator Guide

Monitoring the solution

Software Licence

Investigating accounts in Quarantine state

Resolving clean-up failures

End leases and eject accounts

Uninstall solution stacks

Resources retained after deletion

Delete the custom application in IAM Identity Center

Revision 1.0 - 18/07/2025

Sandbox Studio Terms and Conditions

Running the wizard

Prerequisite #1: AWS Organizations

Prerequisite #2: Service Control Policies (SCPs)

Prerequisite #3: IAM Identity Center

Prerequisite #4: Resource Access Manager

Prerequisite #5: Cloudformation Stacksets

Prerequisite #6: Cost Explorer

Prerequisite #7: IAM Identity Center Custom SAML Application

Prerequisite #8: Lambda Concurrency Limit

Prerequisite #9: Simple Email Service

Map application attributes

Save application configuration values