Corporate Identity Federation

• It allows to use existing identity store for AWS access –
  • AWS Directory services
  • SAML
  • custom federation proxy
• Uses role architecture.
• Temp access by STS and access obtained via GetFederationToken or STS:AssumeRole operations.
• AssumeRole session min 15 minutes, Max 1 hr, Default 1hr; GetFederationToken min 15 min, Max 36 hrs, Default 12 hrs
• allows seperation of responsibilities, minimize admin overhead.

Custom Proxy – Console – AssumeRole

• Corporate User Browse the Fed Proxy domain.com
• Fed Proxy authenticates user to LDAP
• LDAP get groups from Fed Proxy
• Fed Proxy sends list roles request
• STS returns list of roles
• User will select appropriate role
• Fed Proxy sends STS:AssumeRole
• STS returns STS:AssumeRole responses
• Generate URL and redirect to user
• User access URL and get console access

Custom Proxy – API – GetFederationToken

• Corporate App browse Fed Proxy
• FedProxy authenticats App to LDAP
• Directory sends Entitlements to Fed Proxy
• Fed Proxy send GetFederationToken to STS
• STS returns GetFederationToken reponse
• Session
• Call APIs

Both use cases needs an IAM user. GetFederationToken does not support MFA.

SAML – Console – AssumeRoleWithSAML

• Corporate user access AD FS
• AD FS authenticates user against Directory
• SAML Token contains membership generated
• Sigin in with SAML Token to AWS Sign-in Endpoint
• AssumeRoleWithSAML send to STS
• STS returns Creds
• AWS Sign-in endpoint returns Console URL
• Corporate user Redirected to AWS Console
• No need to maintain dedicated Fed proxy for application, proxy doesnt need any IAM permission.