- Federation lets user outside of AWS to assume a temporary role for access AWS resources
- These users assume identity provider access role
- SAML 2.0 - Security Assertion Markup Language
- SAML 2.0 allows to indirectly use on-premise identities with AWS (console and CLI)
- SAML 2.0 based identity federation is used when we have and enterprise based identity provider which is SAML 2.0 compatible
- SAML 2.0 based federation is ideal when we have an existing identity management team managing access to other services including AWS
- If we are looking to maintain a single source of truth and/or we have more than 5000 users, SAML 2.0 based federation is recommended to be used
- Federation is using IAM Roles and AWS Temporary Credentials (12 hours validity)
- We need to setup trust between AWS IAM and SAML (both ways)
- SAML 2.0 enabled web based, cross domain SSO
- Uses the STS API:
AssumeRoleWithSAML
- It is the old way of doing federation, recommended way by AWS is to use Amazon Single Sign On (SSO)