Skip to content
Gallery
14. Security in the Cloud
AWS Directory Service
Identity Providers and Federation
Encryption Primer
AWS Key Management Service
AWS Certificate Manager
AWS Security Hub
AWS Web Application Firewall (WAF)
AWS Shield and Shield Advanced
Amazon Inspector
Amazon Macie
Amazon GuardDuty
AWS Audit Manager
More
Share
Explore
If you already manage user identities outside of AWS, you can use identity providers instead of creating IAM users in your AWS account. With an identity provider (IdP), you can manage your user identities outside of AWS and give these external user identities permissions to use AWS resources in your account. This is useful if your organization already has its own identity system, such as a corporate user directory. It is also useful if you are creating a mobile app or web application that requires access to AWS resources.
An external IdP provides identity information to AWS using either
OpenID Connect (OIDC)
or
SAML 2.0 (Security Assertion Markup Language 2.0)
. OIDC connects applications, like GitHub Actions, that do not run on AWS to AWS resources. Examples of well-known SAML identity providers are Shibboleth and Active Directory Federation Services.
info
Note
As a security best practice, we recommend you manage human users in
IAM Identity Center
with an external SAML identity provider instead of using SAML federation in IAM. For information about specific situations where an IAM user is required, see
When to create an IAM user (instead of a role)
.
When you use an identity provider, you don't have to create custom sign-in code or manage your own user identities. The IdP provides that for you. Your external users sign in through an IdP, and you can give those external identities permissions to use AWS resources in your account. Identity providers help keep your AWS account secure because you don't have to distribute or embed long-term security credentials, such as access keys, in your application.

This guide covers IAM federation. Your use case might be better supported by IAM Identity Center or Amazon Cognito. The following summaries and table provide an overview of the methods that your users can employ to gain federated access to AWS resources.
IAM federation
Column 1
Account type
Access management of..
Supported identity source
1
Federation with IAM Identity Center
Multiple accounts managed by AWS Organizations
Your workforce’s human users
SAML 2.0
Managed Active Directory
Identity Center directory
2
Federation with IAM
Single, standalone account
Human users in short-term, small scale deployments
Machine users
SAML 2.0
OIDC
3
Federation with Amazon Cognito identity pools
Any
The users of apps that require IAM authorization to access resources
SAML 2.0
OIDC
Select OAuth 2.0 social identity providers
There are no rows in this table

Federation with IAM Identity Center

For centralized access management of human users, we recommend that you use
IAM Identity Center
to manage access to your accounts and permissions within those accounts. Users in IAM Identity Center are granted short-term credentials to your AWS resources. You can use Active Directory, an external identity provider (IdP), or an IAM Identity Center directory as the identity source for users and groups to assign access to your AWS resources.
IAM Identity Center supports identity federation with SAML (Security Assertion Markup Language) 2.0 to provide federated single sign-on access for users who are authorized to use applications within the AWS access portal. Users can then single sign-on into services that support SAML, including the AWS Management Console and third-party applications, such as Microsoft 365, SAP Concur, and Salesforce.

Federation with IAM

While we strongly recommend managing human users in IAM Identity Center, you can enable federated user access with IAM for human users in short-term, small scale deployments. IAM allows you to use separate SAML 2.0 and Open ID Connect (OIDC) IdPs and use federated user attributes for access control. With IAM, you can pass user attributes, such as cost center, title, or locale, from your IdPs to AWS, and implement fine-grained access permissions based on these attributes.
A workload is a collection of resources and code that delivers business value, such as an application or backend process. Your workload can require an IAM identity to make requests to AWS services, applications, operational tools, and components. These identities include machines running in your AWS environments, such as Amazon EC2 instances or AWS Lambda functions.
You can also manage machine identities for external parties who need access. To give access to machine identities, you can use IAM roles. IAM roles have specific permissions and provide a way to access AWS by relying on temporary security credentials with a role session. Additionally, you might have machines outside of AWS that need access to your AWS environments. For machines that run outside of AWS you can use
IAM Roles Anywhere
. For more information about roles, see
IAM roles
. For details about how to use roles to delegate access across AWS accounts, see
IAM tutorial: Delegate access across AWS accounts using IAM roles
.
To link an IdP directly to IAM, you create an identity provider entity to establish a trust relationship between your AWS account and the IdP. IAM supports IdPs that are compatible with
OpenID Connect (OIDC)
or
SAML 2.0 (Security Assertion Markup Language 2.0)
. For more information about using one of these IdPs with AWS, see the following sections:
OIDC federation
SAML 2.0 federation

Federation with Amazon Cognito identity pools

Amazon Cognito is designed for developers who want to authenticate and authorize users in their mobile and web apps. Amazon Cognito user pools add sign-in and sign-up features to your app, and identity pools deliver IAM credentials that grant your users access to protected resources that you manage in AWS. Identity pools acquire credentials for temporary sessions through the
AssumeRoleWithWebIdentity
API operation.
Amazon Cognito works with external identity providers that support SAML and OpenID Connect, and with social identity providers like Facebook, Google, and Amazon. Your app can sign in a user with a user pool or an external IdP, then retrieve resources on their behalf with customized temporary sessions in an IAM role.

Identity providers and federation - AWS Identity and Access Management
Control access to your AWS resources with user identity (authentication) and with policies that define specific permissions (authorization).
docs.aws.amazon.com
IAM federation
Federation with IAM Identity Center
Federation with IAM
Federation with Amazon Cognito identity pools
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.