Federated Identity Management
💡 Definition
Federated Identity Management is a system that allows users to access resources (like AWS accounts and applications) from multiple, independent identity management systems using a single set of credentials. Instead of AWS maintaining a separate user directory, it trusts an external identity provider (IdP) to authenticate users.
🔑 Key Concepts
- Identity Provider (IdP): An entity that authenticates a user's identity (e.g., corporate Active Directory, Google, Facebook).
- Service Provider (SP): The application or service the user wants to access (e.g., AWS, Salesforce).
- Single Sign-On (SSO): Users log in once to their IdP and can then access multiple SPs without re-entering credentials.
- Temporary Credentials: When a user federates into AWS, they don't get a permanent IAM User account. Instead, AWS issues temporary security credentials via an IAM Role.
- Standards: Commonly uses standards like SAML 2.0 (Security Assertion Markup Language) or OpenID Connect.
⚙️ How it Works
- User Authenticates: A user logs into their corporate network or a social IdP.
- IdP Asserts Identity: The IdP asserts the user's identity and attributes (e.g., department, group membership) to AWS.
- AWS Grants Access: AWS maps the asserted identity to a pre-configured IAM Role in the AWS account.
- Temporary Credentials: The user assumes the IAM Role and receives temporary credentials, which can then be used to access AWS resources.
🎯 Use Cases
- Corporate Users: Allowing employees to access AWS using their existing corporate Active Directory credentials.
- SaaS Applications: Integrating AWS applications with third-party identity management solutions.
- Mobile/Web Applications: Enabling users to log into your applications using social identity providers (e.g., Login with Amazon, Facebook, Google) via Amazon Cognito.
- Cross-Account Access: Providing temporary access to users from other AWS accounts.
💰 Pricing Model
- Federated Identity Management is a concept. The AWS services that facilitate it (e.g., IAM, AWS SSO) are generally free, but you may pay for underlying services or external identity providers.
📝 Exam Tips (CLF-C02)
- Keywords: "Single Sign-On", "External Identity Provider", "Temporary Credentials", "Corporate credentials".
- AWS SSO is a managed service that simplifies setting up SSO to multiple AWS accounts.
- IAM Roles are crucial for granting permissions to federated users.
- Enhances security by centralizing identity management and avoiding creation of many long-lived IAM Users.