The IAM Identity Center is the replacement for the older AWS SSO. It allows you to sign in with one AWS account and utilize SSO, single sign on, to be able to access multiple IAM accounts with your one login. It also gives you the ability to utilize single sign on with not just your AWS services, but with windows EC2 instances, salesforce, etc. How it works is the users sign in and IAM Identity Center will refer to an identity pool, this can be the identity pool for IAM identity center, or you can utilize a third party such as active directory, from here you can utilize SSO to sign into your applications.
You may be wondering, how are permissions applied with SSO? Well we would use IAM permission sets. These permission sets can be assigned to a specific IAM user or a group and they allow you set what actions you want your SSO to be able to do within a specific OU in your AWS Organization. An IAM role is created for the permission sets and when you use SSO your account will assume that rule with the appropriate permission set associated with that OU. To simplify permission sets you can utilize attribute-based access control to define policies based on attributes, or tags, assigned to a user or group. To change access you just update the attributes on your users as needed.