I am building a web application. Customers should have a valid AWS account to onboard. Each customer could be a whole corporate on their own with their own Identity provider.
The application should authenticate users of each Customer's org and authorize their access to certain APIs within my application. The application should also be able to run automation in the customer's AWS account by assuming certain IAM role.
Looking at Identity solutions from AWS, I see native IAM, Cognito, and SSO.
Native IAM doesn't present the identity of the user and their group membership to my application.
Cognito seems to fit my use case. I can provide the customer with Cloudformation template to run in their account to prepare things: Cognito user pool, certain group name that my application looks for, certain IAM roles for my application to assume, and Cognito Identity pool to exchange the user's authenticated Identity with IAM temp creds to run automation in their account within certain permissions scope.
The customer can integrate Cognito with their own IDP to have centralized user and group management.
Does this solution look sane? Does SSO provide better integration for my application? If yes, does SSO allow me to provide the customer with a Cloudformation template to configure their SSO before they can onboard to my application?
Related Q prior to rePost era: https://stackoverflow.com/questions/48767172/whats-the-difference-between-aws-sso-and-aws-cognito - but it is not answered yet.
AWS OFFICIALUpdated a year ago
