Identity federation is a system of trust between two parties for the purpose of authenticating users and conveying information needed to authorize their access to resources. In this system, an identity provider (IdP) is responsible for user authentication, and a service provider (SP), such as a service or an application, controls access to resources. By administrative agreement and configuration, the SP trusts the IdP to authenticate users and relies on the information provided by the IdP about them. After authenticating a user, the IdP sends the SP a message, called an assertion, containing the user's sign-in name and other attributes that the SP needs to establish a session with the user and to determine the scope of resource access that the SP should grant. Federation is a common approach to building access control systems which manage users centrally within a central IdP and govern their access to multiple applications and services acting as SPs.
AWS offers distinct solutions for federating your employees, contractors, and partners (workforce) to AWS accounts and business applications, and for adding federation support to your customer-facing web and mobile applications. AWS supports commonly used open identity standards, including Security Assertion Markup Language 2.0 (SAML 2.0), Open ID Connect (OIDC), and OAuth 2.0.
You can use two AWS services to federate your workforce into AWS accounts and business applications: AWS Single Sign-On (SSO) or AWS Identity and Access Management (IAM). AWS SSO is a great choice to help you define federated access permissions for your users based on their group memberships in a single centralized directory. If you use multiple directories, or want to manage the permissions based on user attributes, consider AWS IAM as your design alternative. To learn more about service quotas and other design considerations in AWS SSO, see the AWS SSO User Guide. For AWS IAM design considerations, see the AWS IAM User Guide.
AWS SSO makes it easy to centrally manage federated access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place. You can use AWS SSO for identities in the AWS SSO’s user directory, your existing corporate directory, or external IdP.
AWS SSO works with an IdP of your choice, such as Okta Universal Directory or Azure Active Directory (AD) via the Security Assertion Markup Language 2.0 (SAML 2.0) protocol. AWS SSO seamlessly leverages IAM permissions and policies for federated users and roles to help you manage federated access centrally across all AWS accounts in your AWS organization. With AWS SSO, you can assign permissions based on the group membership in your IdP’s directory, and then control the access for your users by simply modifying users and groups in the IdP. AWS SSO also supports the System for Cross-domain Identity Management (SCIM) standard for enabling automatic provisioning of users and groups from Azure AD or Okta Universal Directory to AWS. AWS SSO makes it easy for you to implement attribute-based access control (ABAC) by defining fine-grained permissions based on user attributes defined in your SAML 2.0 IdP. AWS SSO allows you to select your ABAC attributes from the user information synchronized from the IdP via SCIM or pass multiple attributes, such as cost center, title, or locale, as a part of a SAML 2.0 assertion. You can define permissions once for your entire AWS organization, and then grant, revoke, or modify AWS access by simply changing the attributes in your IdP. With AWS SSO, you can also assign permissions based on the group membership in your IdP’s directory, and then control the access for your users by simply modifying users and groups in the IdP.
AWS SSO can serve as an IdP to authenticate users to AWS SSO integrated applications and SAML 2.0 compatible cloud-based applications, such as Salesforce, Box, and Microsoft 365, with a directory of your choice. You can also use AWS SSO to authenticate users to the AWS Management Console, AWS Console Mobile Application, and AWS Command Line Interface (CLI). For your identity source, you can choose Microsoft Active Directory or AWS SSO’s user directory.
You can enable federated access to AWS accounts using AWS Identity and Access Management (IAM). The flexibility of the AWS IAM allows you to enable a separate SAML 2.0 or an Open ID Connect (OIDC) IdP for each AWS account and use federated user attributes for access control. With AWS IAM, you can pass user attributes, such as cost center, title, or locale, from your IdPs to AWS, and implement fine-grained access permissions based on these attributes. AWS IAM helps you define permissions once, and then grant, revoke or modify AWS access by simply changing the attributes in the IdP. You can apply the same federated access policy to multiple AWS accounts by implementing reusable custom managed IAM policies.
- Blog post: New for Identity Federation - Use Employee Attributes for Access Control in AWS
- Blog post: How to Implement a General Solution for Federated API/CLI Access Using SAML 2.0
- Blog post: How to Implement Federated API and CLI Access Using SAML 2.0 and AD FS
- Workshop: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery
You can add federation support to your customer-facing web and mobile applications using Amazon Cognito. It helps you add user sign-up, sign-in, and access control to your mobile and web apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Apple, Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0.