# AWS IAM Identity Center SSO

Learn how to connect AWS IAM Identity Center with Better Stack to enable single sign-on (SSO) for you and your colleagues.

### SSO setup

1.  Go to [Single Sign-On configuration](https://betterstack.com/settings/sso ";_blank").
2.  Click **Connect** on the **Generic SAML SSO** panel and select **AWS IAM Identity Center**.
3.  Copy the **Entity ID** and **ACS URL**.

### In the AWS console

1.  Go to the **IAM Identity Center**.
2.  Go to **Applications** → **Add Application**.
3.  Select **I have an application I want to set up** and choose **SAML 2.0** as the application type.
4.  Click **Next**.
5.  Set the **Display name** to `Better Stack`.
6.  Copy the **IAM Identity Center SAML issuer URL**.
7.  Download the **IAM Identity Center Certificate**.
8.  Under **Application metadata**, select **Manually type your metadata values**.
9.  Paste the **ACS URL** from Better Stack into the **Application ACS URL** field.
10. Paste the **Entity ID** from Better Stack into the **Application SAML audience** field.
11. Click **Submit**.
12. Go to **Actions** → **Edit attribute mappings**.
13. Set the **Subject** attribute to `${user:email}` and format to **emailAddress**.
14. Add the following attribute mappings:
    *   `first_name` → `${user:givenName}` (format: basic)
    *   `last_name` → `${user:familyName}` (format: basic)
    *   `email` → `${user:email}` (format: basic)
15. Click **Save changes**.
16. Click **Assign users and groups** and assign yourself to the application to test the connection. Ensure your user's email address matches the one used on Better Stack.

### In Better Stack

1.  Go back to the [SSO configuration page](https://betterstack.com/settings/sso/edit ";_blank").
2.  Paste the **IAM Identity Center SAML issuer URL** you copied from AWS.
3.  Upload the **X.509 Certificate** file you downloaded from AWS.
4.  Click **Connect**. You will be redirected to AWS to sign in and confirm.

You're done. 🎉