AWS Identity and Access Management (IAM) supports identity federation for delegated access to the AWS Management Console or AWS APIs. With identity federation, external identities (federated users) are granted secure access to resources in your AWS account without having to create IAM users. These external identities can come from your corporate identity provider (such as Microsoft Active Directory or from the AWS Directory Service) or from a web identity provider, such as Amazon Cognito, Login with Amazon, Facebook, Google or any OpenID Connect (OIDC) compatible provider.
- The Most Viewed AWS Security Blog Posts in 2016
- SAML Identity Federation: Follow-Up Questions, Materials, Guides, and Templates from an AWS re:Invent 2016 Workshop (SEC306)
- In Case You Missed These: AWS Security Blog Posts from June, July, and August
- In Case You Missed These: AWS Security Blog Posts from March and April
Identity federation is enabled by requesting temporary security credentials from the AWS Security Token Service (STS). These credentials can be used to log into the AWS Management Console or to make AWS API requests. Temporary security credentials consist of a short-lived access key ID, a secret access key, and a session token. As with any AWS API request, federated users can sign the requests using the access key ID and secret access key; however, federated users must also pass the session token. There is no limit on the number of temporary security credentials that can be issued. Customers have the choice of using the open standard SAML 2.0 (Security Assertion Markup Language) or directly calling the AWS STS APIs.
Here are a couple of federation use cases:
1. You have corporate users that you would like to grant federated access to the AWS Management Console. You want them to be able to use single sign on (SSO) where they are authenticated using a corporate identity managed by Windows Active Directory. They are then able to access the AWS Management Console without having to supply AWS credentials. If your company has an existing identity management solution that supports SAML 2.0, you can use that identity management software to easily configure federation with AWS. These software providers that have tested their solutions with AWS. If you are using the AWS Directory Service, then you can use the AD Connector which allows you to grant AD users and groups access to AWS resources.
2. You’re an enterprise that wants an application running on all employee laptops to perform daily backups to an employee-specific folder in Amazon S3. You can run a small client application that talks to a “federation proxy” that requests temporary security credentials for each user after establishing their identity by logging into their corporate directory system. These credentials are associated with a set of permissions (for example, write access to a particular Amazon S3 bucket), and expire after a specified time period (for example, 12 hours). These credentials get passed back to the backup application on the employee's laptop, providing secure and direct access to the S3 bucket.
3. You are a mobile application developer who wants the application to access resources in your AWS account. You can use Amazon Cognito, which simplifies the task of authorizing access to resources in your AWS account. The AWS SDK for Android Developer Guide and the AWS SDK for iOS Developer Guide describe how to use Amazon Cognito to uniquely identify a user and to give the user a consistent identity throughout the lifetime of the application. Amazon Cognito is built on top of web identity federation and enables your users to start using the application as a guest user and later sign in using one of the supported web identity providers (Login with Amazon, Facebook, Google, and any OpenID Connect compatible provider).
AWS Management Console Federation Proxy Sample —This C# sample demonstrates how to create a federation proxy that lets existing Windows Active Directory users to Single Sign-On (SSO) to the AWS Management Console.
AWS API Federation Proxy Sample—This C# sample demonstrates how to create a federation proxy that lets you leverage Windows Active Directory to control access to AWS APIs.
Amazon Cognito Sync Demo Sample—This sample mobile application uses the AWS SDK for Android and supports guest users as well as users from Login with Amazon and Facebook. It also demonstrates how to use Amazon Cognito Sync to sync app data for your users across their mobile devices.