📃
AWS SAA-C02
  • Practice Test Scores
  • Basics of IAM
  • Elastic Compute Cloud (EC2)
    • Overview
    • Security Groups
    • IP Addresses
    • User Data
    • Launch Types
    • Spot Instances
    • Instance Types
    • Amazon Machine Image (AMI)
    • Placement Groups
    • Elastic Network Interface (ENI)
    • Hibernate
  • Elastic Load Balancer (ELB)
    • Basic Terms
    • Elastic Load Balancing
    • Classic Load Balancer (CLB)
    • Application Load Balancer (ALB)
    • Network Load Balancer (NLB)
    • Stickiness
    • Cross Zone Load Balancing
    • SSL Certificates
    • Connection Draining/Deregistration Delay
  • Auto Scaling Groups (ASG)
    • Launch Configurations & Launch Templates
    • Overview
    • Dynamic Scaling and Scheduled Scaling
    • Lifecycle Hooks
    • Scaling Cooldowns
  • EC2 Storage (EBS, EFS, Instance Store)
    • Elastic Block Storage (EBS)
    • EBS Volume Types
    • EBS Snapshots
    • EBS Volume Migration
    • EBS Volume Encryption
    • EBS RAID configurations
    • Instance Store
    • Elastic File System (EFS)
    • EFS vs EBS
  • Relational Database Service (RDS)
    • RDS Overview
    • Running Databases on EC2
    • RDS Backups & RDS Restores
    • RDS Read Replicas
    • RDS Multi AZ
    • RDS Encryption
    • RDS IAM database authentication
    • Aurora
    • ElastiCache
  • Route53
    • Overview
    • DNS Record Types
    • Routing Policies
    • 3rd Party Domains
  • Simple Storage Service (S3)
    • S3
    • Server-Side Encryption
    • S3 Security
    • Pre-signed URLs
    • S3 Websites
    • Cross-origin resource sharing (CORS)
    • Consistency Model
  • Advanced S3 & Athena
    • MFA Delete
    • Access Logs
    • Replication
    • Storage Classes
    • Lifecycle Configuration
    • Performance Optimization
    • Select and Glacier Select
    • Event Notifications
    • Object Lock and Glacier Lock
    • Athena Overview
  • CloudFront & Global Accelerator
    • CloudFront Overview
    • CloudFront Signed URL / Signed Cookies
    • Global Accelerator
  • Storage Gateway & FSx & Snowball/Snowmobile
    • Storage Gateway Overview
    • Storage Gateway File Gateway Hardware Appliance
    • FSx for Windows Servers
    • FSx for Lustre
    • Storage Comparison
    • Snowball/Snowmobile Overview
  • AWS Messaging
  • Simple Queue Service (SQS)
    • Overview
    • Message Visibility Timeout
    • Dead Letter Queues
    • Delay Queues
    • FIFO Queues
    • SQS + Auto Scaling Group
  • Simple Notification Service (SNS)
    • Overview
    • SNS & SQS - Fan Out Pattern
  • Kinesis + MQ
    • Kinesis
    • Amazon MQ
  • Serverless
    • Lamda Overview
    • Lambda@Edge
    • DynamoDB Overview
    • DynamoDB RCUs and WCUs
    • DynamoDB Advanced Features
    • API Gateway Overview
    • API Gateway Security
    • Cognito Overview
    • AWS SAM (Serverless Application Model)
  • Databases & Analytics
    • Databases
    • Analytics
  • Monitoring
    • CloudWatch Concepts
    • CloudWatch Logs
    • CloudWatch Agent
    • EC2 Instance Recovery
    • CloudWatch Events
    • CloudTrail
    • Config
  • Mini Security Lesson
    • IAM Policies
    • Authorization
    • IAM Conditions
    • IAM for S3 Resources
    • IAM Permission Boundaries
  • Security & Management
    • Security Token Service (STS)
    • Identity Federation in AWS
    • Directory Service
    • Organizations
    • Resource Access Manager (RAM)
    • Single Sign On (SSO)
  • Security & Encryption
    • Encryption Overview
    • KMS Overview
    • SSM Parameter Store Overview
    • Secrets Manager Overview
    • CloudHSM
    • Shield
    • Web Application Firewall (WAF) Overview
  • Virtual Private Cloud (VPC)
    • Networking for VPCs
    • Default VPC Overview
    • VPC Overview
    • VPC Subnets
    • Internet Gateways & Route Tables
    • NAT Instances
    • NAT Gateways
    • DNS support in your VPC
    • NACLs vs Security Groups
    • VPC Peering
    • VPC Endpoints
    • VPC Flow Logs
    • Bastion Hosts
    • Site to Site VPN
    • Direct Connect
    • Egress-only Internet Gateway
    • AWS PrivateLink
    • AWS ClassicLink
    • VPN CloudHub
    • Transit Gateway
  • Disaster Recovery & Migrations
    • Plan for Disaster Recovery
    • Database Migration Service (DMS)
    • Migration Services
    • DataSync Overview
  • Other Services
    • Overview of Other Services
Powered by GitBook
On this page
  • SAML 2.0
  • Active Directory Federation Services (AD FS)
  • Custom Identity Broker
  • Web Identity Federation
  • Cognito

Was this helpful?

  1. Security & Management

Identity Federation in AWS

  • Identity federation is a system of trust between two parties for the purpose of authenticating users and conveying information needed to authorize their access to resources.

  • In this system, an identity provider (IdP) is responsible for user authentication, and a service provider (SP), such as a service or an application, controls access to resources.

    • You don't need to create IAM users with identity federation.

SAML 2.0

  • Security Assertion Markup Language 2.0 (SAML) is an open federation standard that allows an identity provider (IdP) to authenticate users and pass identity and security information about them to a service provider (SP), typically an application or service.

  • Users authenticate with the IdP once using a single set of credentials, and then get access to multiple applications and services without additional sign-ins.

Active Directory Federation Services (AD FS)

  1. Corporate user accesses the corporate Active Directory Federation Services portal sign-in page and the user provides Active Directory authentication credentials.

  2. AD FS authenticates the user against Active Directory.

  3. Active Directory returns the user’s information, including AD group membership information.

  4. AD FS dynamically builds ARNs by using Active Directory group memberships for the IAM roles and user attributes for the AWS account IDs, and sends a signed assertion to the users browser with a redirect to post the assertion to AWS STS.

  5. Temporary credentials are returned using STS AssumeRoleWithSAML.

  6. The user is authenticated and provided access to the AWS management console.

Custom Identity Broker

  • You write and run code to create a URL that lets users who sign in to your organization's network securely access the AWS Management Console.

  • The URL includes a sign-in token that you get from AWS and that authenticates the user to AWS.

  • In this case, the identity broker itself communicates with STS to give the user credentials.

Web Identity Federation

  • With web identity federation, you don't need to create custom sign-in code or manage your own user identities.

    • Instead, users of your app can sign in using a well-known external identity provider (IdP), such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP.

  • For most scenarios, AWS recommend that you use Amazon Cognito because it acts as an identity broker and does much of the federation work for you.

Cognito

  • The preferred way to use web identity federation is to use Amazon Cognito.

  • You don't need any long-term AWS credentials and instead, you sign in with a well-known external identity provider (IdP), such as Login with Amazon, Facebook, Google, or any OpenID Connect (OIDC)-compatible IdP.

PreviousSecurity Token Service (STS)NextDirectory Service

Last updated 4 years ago

Was this helpful?