Federating Users

Identity Federation Overview

Identity federation is a system of trust between two parties to authenticate users and convey information needed to authorize access to resources:

• Identity Provider (IdP): Responsible for user authentication

Examples: OpenID Connect (OIDC) IdPs like Login with Amazon, Facebook, Google
SAML IdPs like Shibboleth or Active Directory Federation Services

• Service Provider (SP): Responsible for controlling access to resources

Examples: AWS services, social media platforms, online banks

Through administrative agreement and configuration, the SP trusts the IdP to authenticate users and grants them access to requested resources.

AWS Services Supporting Identity Federation

Core Services

Primary Federation Services

• AWS Identity and Access Management (IAM)

Enables separate SAML 2.0 or OIDC IdP for each AWS account
Uses federated user attributes for access control
Passes user attributes (cost center, title, locale) from IdPs to AWS
Implements fine-grained access permissions based on attributes

• AWS IAM Identity Center (successor to AWS Single Sign-On)

Centrally manages federated access to multiple AWS accounts and business applications
Provides single sign-on access from one place
Works with AWS IAM Identity Center’s user directory, corporate directories, or external IdPs
Integrates with IdPs like Okta Universal Directory or Azure Active Directory via SAML 2.0

• AWS Security Token Service (AWS STS)

Web service providing temporary AWS credentials
Enables IAM users, federated users, or applications to assume IAM roles
Supports cross-account access and federation scenarios

• Amazon Cognito

Adds federation support to customer-facing web and mobile applications
Supports sign-in with social identity providers (Apple, Facebook, Google, Amazon)
Supports enterprise identity providers using SAML 2.0
Scales to millions of users

Workforce Identity Federation

Federation Process

Workforce identity federation allows users with existing corporate authentication to access AWS resources:

User Authentication: User authenticates against local user directory with ID and password
Authentication Presentation: Outside system presents user authentication information to IAM
Credential Generation: IAM returns temporary authentication credentials token via AWS STS
Resource Access: User accesses protected resources using temporary credentials

AWS IAM Identity Center

Key Features

• Unified Administration: Create or connect identities once and manage access centrally across AWS accounts • Fine-Grained Permissions: Define, customize, and assign permissions based on common job functions • User Portal: Provides access to all assigned AWS accounts and cloud applications • Application Integration: Supports commonly used cloud applications like Microsoft 365 and Salesforce • Flexible Configuration: Can run parallel to or replace AWS account access management using IAM

Benefits

Eliminates need for administrators to learn configuration nuances of each cloud application
Provides application integration instructions
Centralized identity and access management across the organization

AWS Security Token Service (AWS STS)

Core Functionality

AWS STS is a web service API that enables temporary, limited-privilege credential requests:

• AssumeRole Operation: Successfully returns temporary credentials for IAM users or federated users • Cross-Account Access: Typically used for accessing resources across AWS accounts • Federation Support: Enables identity federation scenarios • Dynamic Credentials: Credentials last from minutes to several hours and expire automatically

Identity Federation with Identity Broker

Four-Step Process

Step 1: User Sign-In

Users sign in using identity already known by IdP (Amazon.com ID or corporate login)

Step 2: Identity Broker

Identity broker acts as intermediary between IdP and SP, requests temporary credentials from AWS STS

Step 3: Credential Generation

AWS STS generates temporary credentials dynamically (lasting minutes to hours)

Step 4: Credential Distribution

Identity broker passes temporary credentials to application for user access

An Identity Broker is an intermediary proxy service that connects multiple Service Providers with multiple Identity Providers, facilitating communication between external IdPs and AWS services.

Identity Federation Examples

OIDC-Based Federation for AWS Management Console

Detailed process for corporate identity store authentication:

User Access: User accesses application requiring user ID and password
Broker Authentication: Identity broker communicates with corporate identity store (Microsoft Active Directory or LDAP)
STS Request: If authentication successful, broker requests temporary AWS security credentials from AWS STS
Console Access: User receives temporary credentials and redirects to AWS Management Console without separate AWS sign-in

This process implements single sign-on (SSO), allowing users to access AWS services with existing corporate credentials.

SAML-Based Federation

SAML 2.0 implementation for exchanging authentication and authorization data:

Portal Navigation: User navigates to internal portal (functioning as IdP handling SAML trust)
Identity Authentication: IdP authenticates against identity store (LDAP or Microsoft Active Directory)
SAML Assertion: Portal receives authentication response as SAML assertion from IdP
AWS Endpoint: Client posts SAML assertion to AWS sign-in endpoint, which communicates with AWS STS
Console Access: Client receives temporary credentials and redirects to AWS Management Console

Amazon Cognito

Service Overview

Fully managed service providing authentication, authorization, and user management for web and mobile applications:

• Direct Sign-In: Users can sign in with username and password • Third-Party Integration: Supports sign-in through Facebook, Amazon, Google • Federated Identities: Enables sign-in with social identity providers or SAML • Scalability: Handles millions of users

Main Components

User Pools:

User directory in Amazon Cognito
Enables web or mobile app sign-in through Amazon Cognito
Supports federation through third-party IdPs
All members have directory profiles accessible through SDK

Identity Pools:

Enable creation of unique identities and permissions assignment
Provide temporary AWS credentials to access AWS services/resources
Communicate with Cognito user pools and social sign-in providers
Use AWS STS behind the scenes

Application Access Federation

Process for accessing server-side resources:

User Pool Sign-In: Successful authentication receives user pool tokens from Amazon Cognito
Access Control: Use tokens to control access to server-side resources
User Pool Groups: Create groups to manage permissions and represent different user types
OAuth 2.0 Foundation: Create resource servers to enable protected resource access

Amazon Cognito Example Flow

Complete authentication and AWS service access process:

User Authentication: App user signs in through Amazon Cognito user pool
Token Receipt: After successful authentication, user receives user pool tokens
Credential Exchange: App exchanges user pool tokens for AWS credentials through identity pool
Service Access: User uses AWS credentials to access other AWS services

User Pool Features

Let users enter information to create native user profiles
Redirect to third-party IdPs for authorization
Create users from data sources or schemas

Summary

Identity federation provides organizations with flexible, scalable solutions for managing user access across AWS and external systems. From workforce federation using corporate directories to customer-facing applications using social providers, AWS offers comprehensive federation services to meet diverse authentication and authorization requirements while maintaining security and user experience standards.