Identity Federation and AWS Services

Identity Federation and AWS Services

Overview of Identity Federation

• Identity federation is a trust-based system between two parties for user authentication and resource access authorization.
• It involves:
  • Identity Provider (IDP): Authenticates users.
  • Service Provider (SP): Controls access to resources.
• Allows using one set of credentials across multiple systems (e.g., signing in to a website with a Google ID).
• Common federation standards:
  • OpenID Connect (OIDC)
  • Security Assertion Markup Language (SAML)

AWS Services Supporting Federation

• AWS Identity and Access Management (IAM) and AWS IAM Identity Center: Used for federating into AWS accounts and business applications.
• AWS Security Token Service (STS): Provides temporary AWS credentials for users or applications to assume IAM roles.
• Amazon Cognito: Supports sign-up, sign-in, and access control for mobile and web apps.

Workforce Federation Flow

1. User authenticates with ID and password against a local user directory in the external system.
2. The external system presents authentication information to IAM.
3. IAM returns a token with temporary credentials using AWS STS.
4. The user can then access resources using the temporary credentials.

IAM Identity Center

• Successor to AWS Single Sign-On.
• Allows creating or connecting identities and managing them centrally across AWS accounts.
• Provides a unified administration experience.
• Offers a user portal for accessing assigned AWS accounts or cloud applications.

AWS STS

• A behind-the-scenes service for requesting temporary, limited-privilege credentials.
• The AssumeRole operation of the AWS STS API returns temporary credentials.
• Typically used for cross-account access or federation.

Federation Process Example: Accessing AWS Management Console with OIDC

1. User accesses an application and enters ID and password.
2. User signs in with credentials known to their IDP.
3. An identity broker gets the authentication request and communicates with the corporate identity store.
   • Identity broker: An intermediary proxy service connecting SPs with IDPs.
4. If the request to the identity store is successful, the identity broker requests temporary credentials from AWS STS.
5. AWS STS generates credentials dynamically and passes them to the identity broker.
6. The identity broker passes the credentials to the application.
7. The user application receives the temporary credentials and redirects the user to the AWS Management Console.

• The temporary credentials must have an attached IAM policy that permits the desired action.

Amazon Cognito

• A fully managed service for authentication, authorization, and user management for web and mobile apps.
• Features:
  • Federated identities with IDPs.
  • User pools: Maintain a user directory for authentication.
  • Identity pools: Create permission assignments using temporary AWS credentials (uses AWS STS behind the scenes).

Amazon Cognito: User Pools and Identity Pools

1. An app user signs in with credentials that are part of an Amazon Cognito user pool.
2. After successful authentication, Amazon Cognito provides user pool tokens back to the user.
3. The app exchanges the user pool tokens for temporary AWS credentials through an Amazon Cognito identity pool.
4. The app uses those credentials to access other AWS services.

Summary of AWS Services for Identity Federation

• Identity federation: A system of trust between IDPs and SPs.
• IAM Identity Center: Provides central administration and single sign-on for AWS resources.
• AWS STS: Provides temporary AWS credentials to users and roles needing AWS access.
• Amazon Cognito: Provides authentication, authorization, and user management for mobile and web apps.