2026/02/03 - AWS Single Sign-On Admin - 4 new2 updated api methods
Changes Added new Region management APIs to support multi-Region replication in IAM Identity Center.
Adds a Region to an IAM Identity Center instance. This operation initiates an asynchronous workflow to replicate the IAM Identity Center instance to the target Region. The Region status is set to ADDING at first and changes to ACTIVE when the workflow completes.
To use this operation, your IAM Identity Center instance and the target Region must meet the requirements described in the IAM Identity Center User Guide.
The following actions are related to AddRegion:
See also: AWS API Documentation
Request Syntax
client.add_region(
InstanceArn='string',
RegionName='string'
)
string
[REQUIRED]
The Amazon Resource Name (ARN) of the IAM Identity Center instance to replicate to the target Region.
string
[REQUIRED]
The name of the Amazon Web Services Region to add to the IAM Identity Center instance. The Region name must be 1-32 characters long and follow the pattern of Amazon Web Services Region names (for example, us-east-1).
dict
Response Syntax
{
'Status': 'ACTIVE'|'ADDING'|'REMOVING'
}
Response Structure
(dict) --
Status (string) --
The status of the Region after the Add operation. The status is ADDING when the asynchronous workflow is in progress and changes to ACTIVE when complete.
Lists all enabled Regions of an IAM Identity Center instance, including those that are being added or removed. This operation returns Regions with ACTIVE, ADDING, or REMOVING status.
The following actions are related to ListRegions:
See also: AWS API Documentation
Request Syntax
client.list_regions(
InstanceArn='string',
MaxResults=123,
NextToken='string'
)
string
[REQUIRED]
The Amazon Resource Name (ARN) of the IAM Identity Center instance.
integer
The maximum number of results to return in a single call. Default is 100.
string
The pagination token for the list API. Initially the value is null. Use the output of previous API calls to make subsequent calls.
dict
Response Syntax
{
'Regions': [
{
'RegionName': 'string',
'Status': 'ACTIVE'|'ADDING'|'REMOVING',
'AddedDate': datetime(2015, 1, 1),
'IsPrimaryRegion': True|False
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Regions (list) --
The list of Regions enabled in the IAM Identity Center instance, including Regions with ACTIVE, ADDING, or REMOVING status.
(dict) --
Contains information about an enabled Region of an IAM Identity Center instance, including the Region name, status, date added, and whether it is the primary Region.
RegionName (string) --
The Amazon Web Services Region name.
Status (string) --
The current status of the Region. Valid values are ACTIVE (Region is operational), ADDING (Region extension workflow is in progress), or REMOVING (Region removal workflow is in progress).
AddedDate (datetime) --
The timestamp when the Region was added to the IAM Identity Center instance. For the primary Region, this is the instance creation time.
IsPrimaryRegion (boolean) --
Indicates whether this is the primary Region where the IAM Identity Center instance was originally enabled. The primary Region cannot be removed.
NextToken (string) --
The pagination token to be used in subsequent calls. If the value is null, then there are no more entries.
Removes an additional Region from an IAM Identity Center instance. This operation initiates an asynchronous workflow to clean up IAM Identity Center resources in the specified additional Region. The Region status is set to REMOVING and the Region record is deleted when the workflow completes. The request must be made from the primary Region. The target Region cannot be the primary Region, and no other add or remove Region workflows can be in progress.
The following actions are related to RemoveRegion:
See also: AWS API Documentation
Request Syntax
client.remove_region(
InstanceArn='string',
RegionName='string'
)
string
[REQUIRED]
The Amazon Resource Name (ARN) of the IAM Identity Center instance.
string
[REQUIRED]
The name of the Amazon Web Services Region to remove from the IAM Identity Center instance. The Region name must be 1-32 characters long and follow the pattern of Amazon Web Services Region names (for example, us-east-1). The primary Region cannot be removed.
dict
Response Syntax
{
'Status': 'ACTIVE'|'ADDING'|'REMOVING'
}
Response Structure
(dict) --
Status (string) --
The status of the Region after the remove operation. The status is REMOVING when the asynchronous workflow is in progress. The Region record is deleted when the workflow completes.
Retrieves details about a specific Region enabled in an IAM Identity Center instance. Details include the Region name, current status (ACTIVE, ADDING, or REMOVING), the date when the Region was added, and whether it is the primary Region. The request must be made from one of the enabled Regions of the IAM Identity Center instance.
The following actions are related to DescribeRegion:
See also: AWS API Documentation
Request Syntax
client.describe_region(
InstanceArn='string',
RegionName='string'
)
string
[REQUIRED]
The Amazon Resource Name (ARN) of the IAM Identity Center instance.
string
[REQUIRED]
The name of the Amazon Web Services Region to retrieve information about. The Region name must be 1-32 characters long and follow the pattern of Amazon Web Services Region names (for example, us-east-1).
dict
Response Syntax
{
'RegionName': 'string',
'Status': 'ACTIVE'|'ADDING'|'REMOVING',
'AddedDate': datetime(2015, 1, 1),
'IsPrimaryRegion': True|False
}
Response Structure
(dict) --
RegionName (string) --
The Amazon Web Services Region name.
Status (string) --
The current status of the Region. Valid values are ACTIVE (Region is operational), ADDING (Region replication workflow is in progress), or REMOVING (Region removal workflow is in progress).
AddedDate (datetime) --
The timestamp when the Region was added to the IAM Identity Center instance. For the primary Region, this is the IAM Identity Center instance creation time.
IsPrimaryRegion (boolean) --
Indicates whether this is the primary Region where the IAM Identity Center instance was originally enabled. For more information on the difference between the primary Region and additional Regions, see IAM Identity Center User Guide
{'CreatedFrom': 'string'}
Retrieves the details of an application associated with an instance of IAM Identity Center.
See also: AWS API Documentation
Request Syntax
client.describe_application(
ApplicationArn='string'
)
string
[REQUIRED]
Specifies the ARN of the application. For more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces in the Amazon Web Services General Reference.
dict
Response Syntax
{
'ApplicationArn': 'string',
'ApplicationProviderArn': 'string',
'Name': 'string',
'ApplicationAccount': 'string',
'InstanceArn': 'string',
'Status': 'ENABLED'|'DISABLED',
'PortalOptions': {
'SignInOptions': {
'Origin': 'IDENTITY_CENTER'|'APPLICATION',
'ApplicationUrl': 'string'
},
'Visibility': 'ENABLED'|'DISABLED'
},
'Description': 'string',
'CreatedDate': datetime(2015, 1, 1),
'CreatedFrom': 'string'
}
Response Structure
(dict) --
ApplicationArn (string) --
Specifies the ARN of the application.
ApplicationProviderArn (string) --
The ARN of the application provider under which the operation will run.
Name (string) --
The application name.
ApplicationAccount (string) --
The account ID.
InstanceArn (string) --
The ARN of the IAM Identity Center application under which the operation will run. For more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces in the Amazon Web Services General Reference.
Status (string) --
Specifies whether the application is enabled or disabled.
PortalOptions (dict) --
A structure that describes the options for the portal associated with an application.
SignInOptions (dict) --
A structure that describes the sign-in options for the access portal.
Origin (string) --
This determines how IAM Identity Center navigates the user to the target application. It can be one of the following values:
APPLICATION: IAM Identity Center redirects the customer to the configured ApplicationUrl.
IDENTITY_CENTER: IAM Identity Center uses SAML identity-provider initiated authentication to sign the customer directly into a SAML-based application.
ApplicationUrl (string) --
The URL that accepts authentication requests for an application. This is a required parameter if the Origin parameter is APPLICATION.
Visibility (string) --
Indicates whether this application is visible in the access portal.
Description (string) --
The description of the .
CreatedDate (datetime) --
The date the application was created.
CreatedFrom (string) --
The Amazon Web Services Region where the application was created in IAM Identity Center.
{'Applications': {'CreatedFrom': 'string'}}
Lists all applications associated with the instance of IAM Identity Center. When listing applications for an organization instance in the management account, member accounts must use the applicationAccount parameter to filter the list to only applications created from that account. When listing applications for an account instance in the same member account, a filter is not required.
See also: AWS API Documentation
Request Syntax
client.list_applications(
InstanceArn='string',
MaxResults=123,
NextToken='string',
Filter={
'ApplicationAccount': 'string',
'ApplicationProvider': 'string'
}
)
string
[REQUIRED]
The ARN of the IAM Identity Center application under which the operation will run. For more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces in the Amazon Web Services General Reference.
integer
Specifies the total number of results that you want included in each response. If additional items exist beyond the number you specify, the NextToken response element is returned with a value (not null). Include the specified value as the NextToken request parameter in the next call to the operation to get the next set of results. Note that the service might return fewer results than the maximum even when there are more results available. You should check NextToken after every operation to ensure that you receive all of the results.
string
Specifies that you want to receive the next page of results. Valid only if you received a NextToken response in the previous request. If you did, it indicates that more output is available. Set this parameter to the value provided by the previous call's NextToken response to request the next page of results.
dict
Filters response results.
ApplicationAccount (string) --
An Amazon Web Services account ID number that filters the results in the response.
ApplicationProvider (string) --
The ARN of an application provider that can filter the results in the response.
dict
Response Syntax
{
'Applications': [
{
'ApplicationArn': 'string',
'ApplicationProviderArn': 'string',
'Name': 'string',
'ApplicationAccount': 'string',
'InstanceArn': 'string',
'Status': 'ENABLED'|'DISABLED',
'PortalOptions': {
'SignInOptions': {
'Origin': 'IDENTITY_CENTER'|'APPLICATION',
'ApplicationUrl': 'string'
},
'Visibility': 'ENABLED'|'DISABLED'
},
'Description': 'string',
'CreatedDate': datetime(2015, 1, 1),
'CreatedFrom': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Applications (list) --
Retrieves all applications associated with the instance.
(dict) --
A structure that describes an application that uses IAM Identity Center for access management.
ApplicationArn (string) --
The ARN of the application.
ApplicationProviderArn (string) --
The ARN of the application provider for this application.
Name (string) --
The name of the application.
ApplicationAccount (string) --
The Amazon Web Services account ID number of the application.
InstanceArn (string) --
The ARN of the instance of IAM Identity Center that is configured with this application.
Status (string) --
The current status of the application in this instance of IAM Identity Center.
PortalOptions (dict) --
A structure that describes the options for the access portal associated with this application.
SignInOptions (dict) --
A structure that describes the sign-in options for the access portal.
Origin (string) --
This determines how IAM Identity Center navigates the user to the target application. It can be one of the following values:
APPLICATION: IAM Identity Center redirects the customer to the configured ApplicationUrl.
IDENTITY_CENTER: IAM Identity Center uses SAML identity-provider initiated authentication to sign the customer directly into a SAML-based application.
ApplicationUrl (string) --
The URL that accepts authentication requests for an application. This is a required parameter if the Origin parameter is APPLICATION.
Visibility (string) --
Indicates whether this application is visible in the access portal.
Description (string) --
The description of the application.
CreatedDate (datetime) --
The date and time when the application was originally created.
CreatedFrom (string) --
The Amazon Web Services Region where the application was created in IAM Identity Center.
NextToken (string) --
If present, this value indicates that more output is available than is included in the current response. Use this value in the NextToken request parameter in a subsequent call to the operation to get the next part of the output. You should repeat this until the NextToken response element comes back as null. This indicates that this is the last page of results.