[AWS] IDF, Cognito, and SSO

IDF (Identity Federation) is an architecture where the identities of an external identity provider (IDP) are recognized.

Types of IDF

  • Cross-account roles: A remote account is allowed to assume a role and access your account’s resources,
  • SAML 2.0 IDF: It allows users of SAMAL compatible system such as Active Directory (AD) to log in to the AWS services.
  • Web Identity Federation: External web-based IDPs (Google, Facebook) are allowed to assume roles.

When to use IDF

  • Enterprise Access to AWS
    • Enterprise users with existing identities such as Active Directory.
    • Users can access to AWS using SSO (Single Sign-On).
    • With a lot of potential users that IAM cannot easily handle.
  • Web & Mobile Users
    • Users can use existing web identities.
    • You do not need to store user credentials within the application.
    • There might be a lot of users (millions or more).

Cognito and STS

Cognito and STS (Secure Token Service) are used for IDF in AWS.

  • When a federated identity is verified by an external IDP, the identity is swapped with the temporary AWS credentials by assuming a proper role.
  • AWS Cognito is a superset of the functionality of web identity federation (sign-in directly or through 3rd parties).
    • Sign-up and sign-in, Guest access, and Synchronize user data
    • Recommended for mobile applications

User Pool

  • acts as an Identity Provider (IdP) and authenticates a user (user id, password)
    • It supports the IdP standards, such as Oauth 2, SAML 2, and OpenID Connect.
  • issues three JWTs that can be used for authorizations
    • Identity Token
      • authorizes API calls
      • contains claims of the user (name or email)
      • signed but not encrypted
    • Access Token
      • specifies access-protected resources
      • signed but not encrypted
      • 5 minutes ~ 24 hours
    • Refresh Token
      • contains the information necessary to obtain a new ID or Access token
      • encrypted
      • 1 hour ~ 10 years

Identity Pool


  • creates unique identity as an authentication
    • You can sign in
      • through social IdPs such as Google or Facebook.
      • or through enterprise IdPs such as Microsoft Active Directory
  • issues a temporary AWS credentials and grant permissions to AWS resources (authorization)


You can use the User Pool and the Identity Pool to common authentication/authorization scenarios. Check the following documentation.

Common Amazon Cognito scenarios – Amazon Cognito

Use Case: Allow temporary access to S3 for AD users

You can use STS to generate a temporary token and allow users to access with IAM roles.

  1. A user makes request to IDP (Identity Provider)
  2. IDP authenticates a user
  3. IDP sends a user SAML assertion
  4. A user calls “assumeRole” with SAML
  5. STS returns temporary security tokens
  6. A user uses tokens to access AWS resources such as S3

AWS IAM Identity Center

AWS AM Identity Center is where the credentials of an external identity are used to allow access to a local system (e.g., AWS).

  • formerly known as AWS Single Sign-On (SSO)
  • IAM identity Center offers pre-configured SAML 2.0 (Security Assertion Markup Language) integration to many business applications (Salesforce, Office365) and On-premise Microsoft Active Directory through AD trust.

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s