[AWS] IDF, Cognito, and SSO

IDF (Identity Federation) is an architecture where the identities of an external identity provider (IDP) are recognized.

Types of IDF

  • Cross-account roles: A remote account is allowed to assume a role and access your account’s resources,
  • SAML 2.0 IDF: It allows users of SAMAL compatible system such as Active Directory (AD) to log in to the AWS services.
  • Web Identity Federation: External web-based IDPs (Google, Facebook) are allowed to assume roles.

When to use IDF

  • Enterprise Access to AWS
    • Enterprise users with existing identities such as Active Directory.
    • Users can access to AWS using SSO (Single Sign-On).
    • With a lot of potential users that IAM cannot easily handle.
  • Web & Mobile Users
    • Users can use existing web identities.
    • You do not need to store user credentials within the application.
    • There might be a lot of users (millions or more).

Cognito and STS

Cognito and STS (Secure Token Service) are used for IDF in AWS.

  • When a federated identity is verified by an external IDP, the identity is swapped with the temporary AWS credentials by assuming a proper role.
  • AWS Cognito is a superset of the functionality of web identity federation (sign-in directly or through 3rd parties).
    • Sign-up and sign-in, Guest access, and Synchronize user data
    • Recommended for mobile applications
  • User Pool authenticates a user (user id, password) and gets tokens.
  • Identity Pool exchanges tokens for temporary AWS credentials. (authorization)

Use Case: Allow temporary access to S3 for AD users

You can use STS to generate a temporary token and allow users to access with IAM roles.

  1. A user makes request to IDP (Identity Provider)
  2. IDP authenticates a user
  3. IDP sends a user SAML assertion
  4. A user calls “assumeRole” with SAML
  5. STS returns temporary security tokens
  6. A user uses tokens to access AWS resources such as S3

Single Sign-On (SSO)

AWS SSO is where the credentials of an external identity are used to allow access to a local system (e.g., AWS).

  • AWS SSO offers pre-configured SAML 2.0 (Security Assertion Markup Language) integration to many business applications (Salesforce, Office365) and On-premise Microsoft Active Directory through AD trust.

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s