as @billowy-army-68599 suggested, a lot of single signon solutions (I'm only personal familiar with OneLogin) forego the use of IAM users entirely. instead, you log into your single-signon provider and they give you some temporary role credentials that you can use to access AWS resources--or they pass temporary role credentials along to websites you access (including the AWS console), and the website uses those role credentials to access AWS services on your behalf. The role credentials are temporary and need to be refreshed. This is important to note, and one of the main pain-points of this model, because it means that you can't just launch a long-running process on your desktop and go home to sleep. At some point the temporary credentials will expire and you will have to re-authenticate with your SSO provider. This problem may have been alleviated since last I looked at it.