Identity federation in AWS
Overview
Enabling federated AWS access for your workforce
Using federation to enable single sign-on to your AWS accounts
AWS IAM Identity Center makes it easy to centrally manage federated access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place. You can use AWS IAM Identity Center for identities in the AWS IAM Identity Center’s user directory, your existing corporate directory, or external IdP.
AWS IAM Identity Center works with an IdP of your choice, such as Okta Universal Directory or Azure Active Directory (AD) via the Security Assertion Markup Language 2.0 (SAML 2.0) protocol. AWS IAM Identity Center seamlessly leverages IAM permissions and policies for federated users and roles to help you manage federated access centrally across all AWS accounts in your AWS organization. With AWS IAM Identity Center, you can assign permissions based on the group membership in your IdP’s directory, and then control the access for your users by simply modifying users and groups in the IdP. AWS IAM Identity Center also supports the System for Cross-domain Identity Management (SCIM) standard for enabling automatic provisioning of users and groups from Azure AD or Okta Universal Directory to AWS. AWS IAM Identity Center makes it easy for you to implement attribute-based access control (ABAC) by defining fine-grained permissions based on user attributes defined in your SAML 2.0 IdP. AWS IAM Identity Center allows you to select your ABAC attributes from the user information synchronized from the IdP via SCIM or pass multiple attributes, such as cost center, title, or locale, as a part of a SAML 2.0 assertion. You can define permissions once for your entire AWS organization, and then grant, revoke, or modify AWS access by simply changing the attributes in your IdP. With AWS IAM Identity Center, you can also assign permissions based on the group membership in your IdP’s directory, and then control the access for your users by simply modifying users and groups in the IdP.
AWS IAM Identity Center can serve as an IdP to authenticate users to AWS IAM Identity Center integrated applications and SAML 2.0 compatible cloud-based applications, such as Salesforce, Box, and Microsoft 365, with a directory of your choice. You can also use AWS IAM Identity Center to authenticate users to the AWS Management Console, AWS Console Mobile Application, and AWS Command Line Interface (CLI). For your identity source, you can choose Microsoft Active Directory or AWS IAM Identity Center’s user directory.
To learn more, see the AWS IAM Identity Center User Guide, visit AWS IAM Identity Center Getting Started, and explore the following additional resources:
Using AWS IAM to manage federated fine-grained access to AWS accounts
You can enable federated access to AWS accounts using AWS Identity and Access Management (IAM). The flexibility of the AWS IAM allows you to enable a separate SAML 2.0 or an Open ID Connect (OIDC) IdP for each AWS account and use federated user attributes for access control. With AWS IAM, you can pass user attributes, such as cost center, title, or locale, from your IdPs to AWS, and implement fine-grained access permissions based on these attributes. AWS IAM helps you define permissions once, and then grant, revoke or modify AWS access by simply changing the attributes in the IdP. You can apply the same federated access policy to multiple AWS accounts by implementing reusable custom managed IAM policies.
To learn more, see IAM Identity Providers and Federation, visit IAM Getting Started, and explore additional resources:
Blog post: New for Identity Federation - Use Employee Attributes for Access Control in AWS
Blog post: How to Implement a General Solution for Federated API/CLI Access Using SAML 2.0
Blog post: How to Implement Federated API and CLI Access Using SAML 2.0 and AD FS
Workshop: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery
Enabling federated access to your customer-facing web and mobile apps
You can add federation support to your customer-facing web and mobile applications using Amazon Cognito. It helps you add user sign-up, sign-in, and access control to your mobile and web apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Apple, Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0.
To learn more, see the Amazon Cognito Developer Guide , visit Amazon Cognito Getting Started, and explore additional resources: