Identity Federation and SSO Flashcards
What is Identity Federation, and what are the 3 types?
o Identity Federation (IDF) is an architecture where identities of an external identity provider (IDP) are recognized. Single sign on (SSO) is where the credentials of an external identity are used to allow access to a local system (e.g. AWS)
o Types of IDF include:
Cross-account roles: A remote account (IDP) is allowed to assume a role and access your account’s resources
SAML 2.0 IDF: An on-premise or AWS-hosted directory service instance is configured to allow Active Directory users to log in to the AWS console
Web Identity Federation: IDPs such as Google, Amazon and Facebook are allowed to assume roles and access resources in your account
o Cognito and the Secure Token Service (STS) are used for IDF. A federated identity is verified using an external IDP and by proving the identity (using a token or assertion) is allowed to swap that ID for temporary AWS credentials, by assuming a role
When should you use Identity Federation?
o Enterprise access to AWS resources:
Users / staff have an existing pool of identities
You need those identities to be used across all enterprise systems, including AWS
Access to AWS resources using SSO
Potentially tens or hundreds of thousands of users – more than IAM can handle
ID team within your business
o Mobile and Web Applications
Mobile or web apps requiring access to AWS resources
Need a certain level of guest access, and extra once logged in
Customers have other identities (Google, Twitter, Facebook, etc.) and need to use those
You don’t want credentials stored within the application
Millions or more users – well beyond IAM capabilities
Customers might have multiple third-party logins, but they represent one real person
o Centralised Identity Management (AWS Accounts)
Tens or hundreds of AWS accounts in an organisation
Need central storage of IDs – either IAM or external provider
Role switching used from an ID account into member accounts
