Identity Federation: SAML, OIDC, Cognito & IAM Identity Center
Difficulty: hard
Overview
AWS supports multiple identity federation methods for enterprise and web/mobile use cases.
SAML 2.0 Federation (Enterprise):
- AD/LDAP users authenticate to IdP (ADFS, Okta, Ping) → SAML assertion
- SAML assertion sent to AWS STS
AssumeRoleWithSAML→ temporary credentials - Console SSO: SAML assertion → AWS sign-in endpoint → console redirect
- Session duration: 1 hour default, up to 12 hours for SAML roles
- Trust: IAM role trust policy must trust
sts.amazonaws.comand the SAML provider
OIDC / Web Identity Federation:
- Used for mobile/web apps with social providers (Google, Amazon, Facebook, Cognito)
- App authenticates with IdP → receives ID/access token
- Exchange token with STS
AssumeRoleWithWebIdentity→ AWS temporary credentials - Trust policy condition:
accounts.google.com:aud(app client ID) +accounts.google.com:sub(user ID)
Amazon Cognito:
| Component | Purpose | Output |
|---|---|---|
| User Pool | Auth directory: sign-up, sign-in, MFA | JWTs (ID, Access, Refresh) |
| Identity Pool | AWS credential vending | Temporary AWS credentials via STS |
Combined flow:
- User authenticates with User Pool → receives JWT
- Exchange JWT with Identity Pool → STS AssumeRoleWithWebIdentity → AWS credentials
- App accesses AWS services directly (S3, DynamoDB) with temp credentials
AWS IAM Identity Center (formerly SSO):
- Centralized SSO for AWS accounts (via Organizations) and business apps (Salesforce, Slack)
- Connect to external IdP (Okta, Azure AD) via SAML 2.0
- Permission Sets: define AWS permissions assigned to users/groups per account
- Propagates via AWS Organizations — new accounts automatically get SSO configured
- Replaces manual SAML federation per account
STS Key APIs:
| API | Use Case |
|---|---|
| AssumeRole | Cross-account/service role assumption |
| AssumeRoleWithSAML | Enterprise SAML federation |
| AssumeRoleWithWebIdentity | OIDC/social provider federation |
| GetSessionToken | MFA-protected API access |
| GetFederationToken | Legacy; broker-based federation |
Practice Linked Questions
Q1. A company uses Microsoft Active Directory and wants AD users to access the AWS Management Console using Single Sign-On without creating IAM users in AWS. Which federation approach is MOST appropriate?
Select one answer before revealing.
Q2. What does Amazon Cognito User Pool provide?
Select one answer before revealing.
Q3. A company wants to provide SSO access for employees to 20+ AWS accounts and business applications (Salesforce, Slack, Jira) using their existing Okta identity provider. Which AWS service is MOST appropriate?
Select one answer before revealing.
Q4. A mobile application allows users to log in with Google. After Google authentication, the app needs to access Amazon DynamoDB tables directly from the device. Which approach correctly enables this with temporary AWS credentials?
Select one answer before revealing.
Q5. A developer calls sts:AssumeRoleWithWebIdentity to get AWS credentials using a Google ID token. Which condition in the IAM role's trust policy ensures ONLY legitimate users of YOUR specific Google application (not any Google user) can assume the role?
Select one answer before revealing.
Q6. A company's SAML-federated developers assume an IAM role with an 8-hour session. A security incident requires immediately revoking ALL active sessions for this role. What is the CORRECT approach?
Select one answer before revealing.
Q7. An API Gateway REST API uses a Cognito User Pool Authorizer. A mobile app user authenticates with Cognito, receives JWTs, and calls the API. What does API Gateway validate in this flow?
Select one answer before revealing.