Skip to content
Gallery
14. Security in the Cloud
AWS Directory Service
Identity Providers and Federation
Encryption Primer
AWS Key Management Service
AWS Certificate Manager
AWS Security Hub
AWS Web Application Firewall (WAF)
AWS Shield and Shield Advanced
Amazon Inspector
Amazon Macie
Amazon GuardDuty
AWS Audit Manager
More
Share
Explore
Identity Providers and Federation

icon picker
SAML 2.0 Identity Federation

AWS supports identity federation with
SAML 2.0 (Security Assertion Markup Language 2.0)
, an open standard that many identity providers (IdPs) use. This feature enables federated single sign-on (SSO), so users can log into the AWS Management Console or call AWS API operations without you having to create an IAM user for everyone in your organization. By using SAML, you can simplify the process of configuring federation with AWS, because you can use the IdP's service instead of
writing custom identity proxy code
.
IAM federation supports these use cases:
Federated access to allow a user or application in your organization to call AWS API operations
. This use case is discussed in the following section. You use a SAML assertion (as part of the authentication response) that is generated in your organization to get temporary security credentials. This scenario is similar to other federation scenarios that IAM supports, like those described in
Requesting temporary security credentials
and
OIDC federation
. However, SAML 2.0–based IdPs in your organization handle many of the details at run time for performing authentication and authorization checking.
Web-based single sign-on (SSO) to the AWS Management Console from your organization
. Users can sign in to a portal in your organization hosted by a SAML 2.0–compatible IdP, select an option to go to AWS, and be redirected to the console without having to provide additional sign-in information. You can use a third-party SAML IdP to establish SSO access to the console or you can create a custom IdP to enable console access for your external users. For more information about building a custom IdP, see
Enabling custom identity broker access to the AWS console
.
image.png


SAML 2.0 federation - AWS Identity and Access Management
Control access to your AWS resources with user identity (authentication) and with policies that define specific permissions (authorization).
docs.aws.amazon.com
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.