IAM Role – Identity Providers and Federation

IAM Role – Identity Providers and Federation
Without the need to create an AWS account, Identity Provider allows you to grant external user identities permissions to AWS resources.
External user identities can either be authenticated through the organization’s authentication or through a well-known identity provider like log in with Amazon, Google, and others.
Identity providers keep AWS accounts secure without the need to distribute or embed long term in the application.
An IAM identity provider entity is required to use an IdP. This entity establishes a trust relationship between AWS and the IdP.
IAM supports IdPs compatible with OpenID Connect or SAML 2.0 (Security Assertion Markup Language 2.0). Web Identity Federation without CognitoMobile and Web Application must be configured with the IdP, which gives each application an unique ID or clientID (also known as audience).
For OIDC compatible IdP, create an Identity Provider entity in IAM
Create an IAM role, and define theTrust policy. Specify the IdP (like Amazon), as the Principal (the trusted entity), with a Condition that matches the IdP-assigned app ID
Permission policy – Specify the permissions that the application can assumeApplication calls to sign-in for the IdP login
IdP authenticates the user, and returns an authentication token (OAuth Access token or OIDCID token) with information about that user to the application
Application then makes an unsigned call to the STS service with the AssumeRoleWithWebIdentity action to request temporary security credentials.
Application passes the IdP’s authentication token together with the Amazon Resource Name, (ARN), for the IAM role that was created for that IdP.
AWS verifies that the token you request is valid and trusted. If so, it returns temporary security credentials (access keys, secret access keys, expiry times) to the application that has permissions for the role you requested.
STS responses also include metadata about the user from IdP, such the unique user ID that is associated with the user.
Application for Temporary Credentials to AWS
The identity provider’s user ID information can be used to distinguish users within the app. Objects can be placed into S3 folders that include the userID as prefixes and suffixes. This allows you to create access control policies that will lock the folder so that only the user with the ID can access it.
Application can store temporary security credentials and refresh them prior to their expiry. By default, temporary credentials are valid for one hour.
Interactive websites are a great way to understand the flow.
Mobile or Web Identity Federation using Cognito
Amazon Cognito is recommended for nearly all web identity federation scenarios
Cognito is simple to use and offers additional capabilities such as anonymous (unauthenticated), access
Cognito supports anonymous users and MFA, and also helps to synchronize user data across devices or providers
SAML 2.0-based Federation
AWS supports identity federation using SAML 2.0 (Security Assertion Markup Language Language 2.0), which is an open standard that many identity providers (IdPs) use.
SAML 2.0-based federation allows federated single sign on (SSO) so users can log in to the AWS Management Console and call the AWS APIs without creating an IAM user for everyone.
SAML simplifies the process of configuring AWS federation by using the IdP’s Service instead of writing custom identity proxy codes.
This is useful for organizations that have integrated their identity system (such as Windows Active Directory and OpenLDAP) to software that can produce SAML assertions to provide information on user identity (such Active Directory Federation Services or Shibboleth).
Use the SAML metadata document to create a SAML provider entity within AWS