IDF (Identity Federation) is an architecture where the identities of an external identity provider (IDP) are recognized.
Types of IDF
- Cross-account roles: A remote account is allowed to assume a role and access your account’s resources,
- SAML 2.0 IDF: It allows users of SAMAL compatible system such as Active Directory (AD) to log in to the AWS services.
- Web Identity Federation: External web-based IDPs (Google, Facebook) are allowed to assume roles.
When to use IDF
- Enterprise Access to AWS
- Enterprise users with existing identities such as Active Directory.
- Users can access to AWS using SSO (Single Sign-On).
- With a lot of potential users that IAM cannot easily handle.
- Web & Mobile Users
- Users can use existing web identities.
- You do not need to store user credentials within the application.
- There might be a lot of users (millions or more).
Cognito and STS
Cognito and STS (Secure Token Service) are used for IDF in AWS.
- When a federated identity is verified by an external IDP, the identity is swapped with the temporary AWS credentials by assuming a proper role.
- AWS Cognito is a superset of the functionality of web identity federation (sign-in directly or through 3rd parties).
- Sign-up and sign-in, Guest access, and Synchronize user data
- Recommended for mobile applications
User Pool
- acts as an Identity Provider (IdP) and authenticates a user (user id, password)
- It supports the IdP standards, such as Oauth 2, SAML 2, and OpenID Connect.
- You can use social media IdPs such as Google or Amazon.
- issues three JWTs(JSON Web Tokens) that can be used for authorizations
- Identity Token
- authorizes API calls
- contains claims of the user (name or email)
- signed but not encrypted
- Access Token
- specifies access-protected resources
- signed but not encrypted
- 5 minutes ~ 24 hours
- Refresh Token
- contains the information necessary to obtain a new ID or Access token
- encrypted
- 1 hour ~ 10 years
- Identity Token
Identity Pool
https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html
- creates unique identity as an authentication
- issues a temporary AWS credentials and grant permissions to AWS resources (authorization)
Scenarios
You can use the User Pool and the Identity Pool to common authentication/authorization scenarios. Check the following documentation.
Common Amazon Cognito scenarios – Amazon Cognito
User Pool with Lambda Triggers
You can customize user pool workflows with Lambda triggers.
- Pre sign-up
- Post confirmation
- Pre authentication
- Post authentication
- Migrate user
Amazon Cognito Sync
Amazon Cognito Sync is an AWS service and client library that enable cross-device syncing of application-related user data.
- You can use it to synchronize user profile data across mobile devices and web applications.
Use Case: Allow temporary access to S3 for AD users
You can use STS to generate a temporary token and allow users to access with IAM roles.
- A user makes request to IDP (Identity Provider)
- IDP authenticates a user
- IDP sends a user SAML assertion
- A user calls “assumeRole” with SAML
- STS returns temporary security tokens
- A user uses tokens to access AWS resources such as S3
Tracking Devices
You can track and remember user devices using Cognito.
- You can see the remembered devices and associated metadata through the console.
- You can build custom functionality such as limiting the number of devices from a single end-user.
AWS IAM Identity Center
AWS AM Identity Center is where the credentials of an external identity are used to allow access to a local system (e.g., AWS).
- formerly known as AWS Single Sign-On (SSO)
- IAM identity Center offers pre-configured SAML 2.0 (Security Assertion Markup Language) integration to many business applications (Salesforce, Office365) and On-premise Microsoft Active Directory through AD trust.