SSO Identity Swap

When transitioning your AWS IAM Identity Center (formerly known as AWS SSO) from one Azure domain to another, there are several important considerations and steps to keep in mind:

1. Transition Process: The process of changing your identity source in IAM Identity Center can cause a temporary disruption in user access. During the transition, users will not be able to access AWS accounts or applications through IAM Identity Center until all assignments are restored.

2. User Migration: Unfortunately, there isn't a direct way to simply move or rename existing users from the old domain to the new one. You'll need to set up the users again in the new identity source. However, you can backup and restore user assignments to minimize manual work.

3. Timing: The time it takes for new users with their new domain email addresses to be able to sign in depends on how quickly you can complete the transition process. This includes backing up existing data, configuring the new identity source, and restoring assignments. With proper planning, this can potentially be done within a few hours, but it's best to allocate more time to ensure a smooth transition.

4. Old User Cleanup: The old users won't automatically disappear after the SSO switch. You'll need to manually remove them from the IAM Identity Center after ensuring that all necessary data and permissions have been transferred to the new user accounts.

5. Preserving Assignments: To avoid setting up everything from scratch, you can backup your existing permission sets and application assignments before the transition. After connecting to the new identity source, you can then restore these assignments to the new user accounts.

6. Key Steps:

• Backup users, groups, and assignments from the current source.
• Restore and validate the backed-up data in the new Azure domain.
• Update IAM Identity Center configuration to connect to the new Azure domain.
• Restore assignments to users and groups in the new source.
• Validate user access to ensure they can access the expected accounts and applications.

7. Application Considerations: For AWS-managed applications that maintain a separate identity source, you may need to restore application assignments on a case-by-case basis, which could require redeploying some applications.

To ensure a smooth transition, it's crucial to plan carefully, communicate the change to your users, and perform thorough testing before and after the switch. Consider performing the transition during a low-traffic period to minimize disruption to your users.

Remember to update any documentation or processes that reference the old Azure domain to reflect the new identity source after the transition is complete.

Sources
Managing identity source transition for AWS IAM Identity Center | AWS Security Blog
Impact of Implementing AWS Federated SSO with Google Workspace on Existing AWS IAM Users | AWS re:Post