What is Identity Federation?
Identity federation is a system of trust between two parties for the purpose of authenticating users and authorising resource access. The identity provider (IdP) handles authentication and a service provider (SP), handles authorization and resource access.
After the IdP has authenticated the user, it sends an assertion containing the user’s sign-in name and other attributes which the SP users to determine what resources can be accessed .
There are two possible solution: one using AWS Single Sign On (SSO) and the other using AWS IAM.
Use AWS SSO as this involves less set up work, unless you have multiple identity providers or want to make authorization decisions based on user attributes in which case use IAM.
Use Cases
- single identity provider govern access to multiple services providers across multiple cloud and on premise systems
- Use when more than 5000 users
- can implement a one way trust to allow on premise users to access cloud resources
- can implement a 2 way trust to allow also cloud application to access on premise resources
Features
- SAML 2.o – Security Assertion Markup Language is an open standard
- Indirectly uses on-premise IDs with AWS
- tokens are known as SAML assertions
- application calls AssumeRole and exchanges the token for temporary AWS credentials
- credentials have 12 hour validity
How A On Premise Client Acquires Credentials to Access AWS Resources
- User in enterprise domain browses to IDP portal
- User presented with role and confirms
- SAML assertion return to client
- Client send assertion to SAML/SSO endpoint
- Endpoint calls STS to generate credentials and returns these to the client
- Client uses credentials to access Service
