Identity Federation in AWS

  • Identity federation is a system of trust between two parties for the purpose of authenticating users and conveying information needed to authorize their access to resources.

  • In this system, an identity provider (IdP) is responsible for user authentication, and a service provider (SP), such as a service or an application, controls access to resources.

    • You don't need to create IAM users with identity federation.

SAML 2.0

  • Security Assertion Markup Language 2.0 (SAML) is an open federation standard that allows an identity provider (IdP) to authenticate users and pass identity and security information about them to a service provider (SP), typically an application or service.

  • Users authenticate with the IdP once using a single set of credentials, and then get access to multiple applications and services without additional sign-ins.

Active Directory Federation Services (AD FS)

  1. Corporate user accesses the corporate Active Directory Federation Services portal sign-in page and the user provides Active Directory authentication credentials.

  2. AD FS authenticates the user against Active Directory.

  3. Active Directory returns the user’s information, including AD group membership information.

  4. AD FS dynamically builds ARNs by using Active Directory group memberships for the IAM roles and user attributes for the AWS account IDs, and sends a signed assertion to the users browser with a redirect to post the assertion to AWS STS.

  5. Temporary credentials are returned using STS AssumeRoleWithSAML.

  6. The user is authenticated and provided access to the AWS management console.

Custom Identity Broker

  • You write and run code to create a URL that lets users who sign in to your organization's network securely access the AWS Management Console.

  • The URL includes a sign-in token that you get from AWS and that authenticates the user to AWS.

  • In this case, the identity broker itself communicates with STS to give the user credentials.

Web Identity Federation

  • With web identity federation, you don't need to create custom sign-in code or manage your own user identities.

    • Instead, users of your app can sign in using a well-known external identity provider (IdP), such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP.

  • For most scenarios, AWS recommend that you use Amazon Cognito because it acts as an identity broker and does much of the federation work for you.

Cognito

  • The preferred way to use web identity federation is to use Amazon Cognito.

  • You don't need any long-term AWS credentials and instead, you sign in with a well-known external identity provider (IdP), such as Login with Amazon, Facebook, Google, or any OpenID Connect (OIDC)-compatible IdP.

Last updated