Identity Provider and Federation

As we have seen earlier, we can manage user identities for our IAM users either in AWS or outside of AWS by using IAM identity providers. You can give access to your AWS resources to the user whose identities are managed by AWS or outside of AWS. This functionality supports scenarios where your users are already managed by your organization's identity management system, such as Microsoft Active Directory. It also supports use cases where an application or a mobile app needs to access your AWS resources.

Identity providers help keep your AWS account secure because your credentials are not embedded in your application. To use an identity provider, you will need to create an IAM identity provider entity to establish a trust relationship between your AWS account and the identity provider. AWS supports two types of identity providers:

• OpenID Connect Compatible
• SAML 2.0 Compatible

You can create an identity provider from the IAM dashboard. This creates trust between your AWS account and identity provider. For more information on how to create identity providers, please visit the following URL:

http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create.html

Alternatively, if you have users of a mobile application that need access to your AWS resources, you can use the web identity federation. These users can sign in using the already established and popular identity providers such as Facebook, Amazon, Google, and so on and receive an authorization token. This token can be exchanged for temporary security credentials. These credentials will be mapped to an IAM role that will have permissions to access AWS resources.

AWS, however, recommends that for most scenarios, Amazon Cognito should be used instead of web identity federation as it acts as an identity broker and does much of the federation work for you. We will look at Amazon Cognito in the subsequent chapters.