AWS IAM Identity Center: Custom Access Portal URL

#aws #iam #identitycenter #security

AWS IAM Identity Center: Custom Access Portal URL

After you enable IAM Identity Center, the default AWS access portal URL uses an opaque subdomain under awsapps.com. You can replace that prefix once with a custom access portal URL so sign-in links are easier to recognize and communicate. This guide walks through what that means, how to set it in the console, and what to verify afterward.

1. Overview

This article covers how to:

Understand the difference between the default and custom access portal URL (https://…awsapps.com/start)
Customize the subdomain once from the IAM Identity Center console (no separate AWS charge for this step)
Confirm sign-in still works and refresh bookmarks, runbooks, and onboarding docs that referenced the old URL

It does not cover bringing your own DNS name (for example sso.example.com); the portal stays on *.awsapps.com.

2. Prerequisites

Management account (or delegated admin where your org’s Identity Center instance lives) with permission to change Identity Center settings
IAM Identity Center enabled for the organization
Console access in the Identity Center Region (the region shown as primary for your instance; for example ap-southeast-2)
A stable subdomain label you are willing to keep: AWS documents that you cannot edit the access portal URL after you customize it

3. What changes when you customize the URL

Default vs custom

By default, the portal looks like:

https://xxxxxxxxxx.awsapps.com/start

After customization it becomes:

https://your-subdomain.awsapps.com/start

Only the first label (the part before .awsapps.com) changes. The path /start and the fact that traffic uses HTTPS to awsapps.com stay the same.

One-time operation

AWS states clearly: if you change the AWS access portal URL, you cannot edit it later. If the Customize control does not appear under the portal URL in the dashboard, the URL has already been customized. Treat the choice like a permanent hostname for your organization.

Not the same as “Instance name”

The Instance name in Settings summary is a console-friendly label. The access portal URL is what users type or bookmark. You can set both; they serve different purposes.

4. Customize the access portal URL (console)

Open the IAM Identity Center console.
Select the Region where your Identity Center instance is registered if the console prompts you (must match your instance’s primary region).
In the navigation pane, open Dashboard.
In Settings summary, find the AWS access portal URL and choose Customize (only shown if customization is still available).
Enter your desired subdomain and save.

When the operation completes, use the new URL to open the access portal and confirm the sign-in page loads.

5. After you save

Tell your users the new portal URL and ask them to update bookmarks.
Update internal documentation, wiki pages, and new-hire instructions that still point at the old hostname.
If you use CLI or IDE profiles that reference the portal URL (for example AWS CLI aws configure sso / sso_start_url), align those configs with the new URL on each machine.
If anything in your IdP or application configuration hard-coded the old portal URL, plan a coordinated update (uncommon for the bare portal hostname, but easy to miss in custom integrations).

6. Summary: Copy-Paste

Customizing the subdomain is a console workflow; there is no documented AWS CLI parameter to set the access portal hostname after the fact. You can still list your instance from the CLI (replace the region with your Identity Center region):

aws sso-admin list-instances --region ap-southeast-2

Example sign-in URL pattern after customization (replace your-subdomain):

https://your-subdomain.awsapps.com/start

7. Troubleshooting

Issue	What to try
Customize does not appear	The portal URL may already be customized. AWS does not offer a console option to change it again.
Console shows the wrong account or empty Identity Center	Use the organization management account (or the account where the instance was created) and the correct region.
Users see errors after the change	Confirm they use the new `https://…awsapps.com/start` URL, clear old bookmarks, and refresh SSO/CLI `sso_start_url` values.