Skip to main content

Identity federation in AWS

Overview

Identity federation is a system of trust between two parties for the purpose of authenticating users and conveying information needed to authorize their access to resources. In this system, an identity provider (IdP) is responsible for user authentication, and a service provider (SP), such as a service or an application, controls access to resources. By administrative agreement and configuration, the SP trusts the IdP to authenticate users and relies on the information provided by the IdP about them. After authenticating a user, the IdP sends the SP a message, called an assertion, containing the user's sign-in name and other attributes that the SP needs to establish a session with the user and to determine the scope of resource access that the SP should grant. Federation is a common approach to building access control systems which manage users centrally within a central IdP and govern their access to multiple applications and services acting as SPs.

AWS offers distinct solutions for federating your employees, contractors, and partners (workforce) to AWS accounts and business applications, and for adding federation support to your customer-facing web and mobile applications. AWS supports commonly used open identity standards, including Security Assertion Markup Language 2.0 (SAML 2.0), Open ID Connect (OIDC), and OAuth 2.0.

Enabling federated AWS access for your workforce

You can use two AWS services to federate your workforce into AWS accounts and business applications: AWS IAM Identity Center (successor to AWS SSO) or AWS Identity and Access Management (IAM). AWS IAM Identity Center is a great choice to help you define federated access permissions for your users based on their group memberships in a single centralized directory. If you use multiple directories, or want to manage the permissions based on user attributes, consider AWS IAM as your design alternative. To learn more about service quotas and other design considerations in AWS IAM Identity Center, see the AWS IAM Identity Center User Guide. For AWS IAM design considerations, see the AWS IAM User Guide.