Hello ,
If you are looking for a way to access AWS resources then AWS identity center is the answer, if you are looking to federate from an another idp such as Azure AD or GCP, identity center can be configured to federate users.
You can use two AWS services to federate your workforce into AWS accounts and business applications: AWS IAM Identity Center (successor to AWS SSO) or AWS Identity and Access Management (IAM).
https://aws.amazon.com/identity/federation/
If you are looking for Identity management using federated identities for your custom application , then Amazon Cognito is your solution , you will need to create a userpool , update your SAML IdP and configure your user pool to support the provider. See the documentation for your SAML IdP for information about how to add your user pool as a relying party or application for your SAML 2.0 IdP.
https://docs.amazonaws.cn/en_us/cognito/latest/developerguide/cognito-user-pools-saml-idp.html
Hi,
We have a readily available solution for this in IAM today: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html
Note: If you are using Google as your IdP then you don't need to create a separate IAM IdP in AWS as it is already built into AWS.
As noted on that linked page above, you will create your IAM policy and as part of that a trust policy.
Then if signing in from Google, the following example trust policy would apply. In this example, 666777888999000 represents the app ID that Google assigns.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "RoleForGoogle",
"Effect": "Allow",
"Principal": {"Federated": "accounts.google.com"},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {"StringEquals": {"accounts.google.com:aud": "666777888999000"}}
}]
}
The flow would likely be this:
Client --- authenticates to ---> Google IdP --- returns authenticated ID token to ---> Client
Client --- calls 'sts AssumeRoleWithWebIdentity' with the ID token ---> AWS STS
AWS STS <--- validates the ID token with ---> Google IdP
AWS STS --- checks trust policy ---> IAM role
AWS STS --- returns temporary credentials to ---> Client
Client --- accesses service ---> AWS
One last thing, you must use an ID token when making the call to AssumeRoleWithWebIdentity
- this does not work for a Google access token.
Hope this helps?
Kind Regards, Alex.
Relevant content
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated a year ago