# Identity Federation in AWS

* Identity federation is a **system of trust between two parties for the purpose of authenticating users** and conveying information needed to authorize their access to resources.<br>
* In this system, an **identity provider (IdP) is responsible for user authentication**, and a **service provider (SP), such as a service or an application, controls access to resources**.
  * You **don't need to create IAM users** with identity federation.

## SAML 2.0 <a href="#enabling-saml-for-your-aws-resources" id="enabling-saml-for-your-aws-resources"></a>

* Security Assertion Markup Language 2.0 **(SAML) is an open federation standard that allows an identity provider (IdP) to authenticate users and pass identity and security information about them to a service provider (SP)**, typically an application or service.<br>
* **Users authenticate with the IdP once using a single set of credentials**, and then get access to multiple applications and services **without additional sign-ins**.

## Active Directory Federation Services (AD FS)

1. Corporate user accesses the corporate Active Directory Federation Services portal sign-in page and the **user provides Active Directory authentication credentials**.<br>
2. **AD FS authenticates the user against Active Directory**.<br>
3. **Active Directory returns the user’s information**, including AD group membership information.<br>
4. **AD FS dynamically builds ARNs by using Active Directory group memberships for the IAM roles** and user attributes for the AWS account IDs, and sends a signed assertion to the users browser with a redirect to post the assertion to AWS STS.<br>
5. Temporary **credentials are returned using STS AssumeRoleWithSAML**.<br>
6. The **user is authenticated** and provided access to the AWS management console.

## Custom Identity Broker <a href="#id_roles_providers_enable-console-custom-url" id="id_roles_providers_enable-console-custom-url"></a>

* You **write and run code to create a URL that lets users who sign in to your organization's network securely access the AWS Management Console**.<br>
* The **URL includes a sign-in token** that you get from AWS and **that authenticates the user to AWS**.<br>
* In this case, the **identity broker itself communicates with STS** to give the user credentials.

## Web Identity Federation <a href="#id_roles_providers_oidc" id="id_roles_providers_oidc"></a>

* With web identity federation, you **don't need to create custom sign-in code or manage your own user identities**.
  * Instead, **users of your app can sign in using a well-known external identity provider (IdP)**, such as **Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP**.<br>
* For most scenarios, **AWS recommend that you use Amazon Cognito** because it acts as an identity broker and does much of the federation work for you.

## Cognito

* The **preferred way to use web identity federation is to use Amazon Cognito**.<br>
* You **don't need any long-term AWS credentials** and instead, you **sign in with a well-known external identity provider (IdP), such as Login with Amazon, Facebook, Google, or any OpenID Connect (OIDC)-compatible IdP**.