Federated Access

AWS enables federated authentication, allowing organizations to manage user access to AWS accounts and applications without maintaining credentials within AWS. Instead of creating and managing AWS-native identities, users authenticate through an external Identity Provider (IdP) such as Microsoft Entra ID (Azure AD), Okta, Google Workspace, or an on-premises Active Directory.

AWS provides two primary methods for integrating federated authentication:

IAM Identity Center (AWS SSO) – A centralized authentication and access management service that integrates with external IdPs via SAML 2.0 or OIDC, enabling single sign-on (SSO) across multiple AWS accounts and applications.
IAM Role-Based Federation – A traditional approach where users authenticate through an IdP, and AWS grants access based on IAM roles, using SAML assertions or OIDC tokens.

Both methods allow organizations to extend existing identity management solutions to AWS while ensuring secure, centralized, and scalable access control. The choice between IAM Identity Center and IAM Role-Based Federation depends on the organization’s need for multi-account access, authentication preferences, and security requirements.

Why Use Federated Access

Eliminates the need to create IAM users in AWS.
Allows users to authenticate with corporate identity providers (IdPs) such as Azure AD, Okta, Google Workspace, and Ping Identity.
Provides Single Sign-On (SSO) to multiple AWS accounts and services.
Supports Multi-Factor Authentication (MFA) enforcement.

Federated Access via IAM Identity Center (Recommended)

IAM Identity Center (formerly AWS SSO) simplifies federated access for AWS multi-account environments.

Setup for IAM Identity Center Federated Authentication

Enable IAM Identity Center: Begin by turning on IAM Identity Center in the AWS Management Console. During setup, choose the identity source—either the default AWS directory (for manually managed users) or an external Identity Provider (IdP) such as Azure AD, Okta, or Google Workspace.
Configure IdP Federation: In your external IdP, set up SAML 2.0 or OIDC authentication to establish trust with AWS. Obtain the IAM Identity Center metadata file from AWS and upload it to the IdP. Define group claims in the IdP to send user group membership data during authentication.
Set Up SCIM for Automatic User and Group Provisioning (Optional): To automate user and group synchronization, enable SCIM provisioning in IAM Identity Center. Copy the SCIM endpoint URL and bearer token, then configure the IdP to automatically provision and update users and groups in IAM Identity Center.
Create IAM Identity Center Groups: IAM Identity Center does not pull groups from the IdP dynamically at login. Instead, groups must be manually created or synchronized via SCIM. These groups will be used to assign permissions within AWS.
Create Permission Sets: Define AWS access levels by creating Permission Sets in IAM Identity Center. These permission sets are similar to IAM policies and specify what actions users can perform in AWS.
Assign Groups to AWS Accounts: Map IAM Identity Center groups (not IdP groups) to AWS accounts. Assign the appropriate Permission Set to each group, granting users access to AWS resources based on their assigned group.

Federated Authentication

User authenticates via an external Identity Provider (IdP) (e.g., Azure AD, Okta, Google Workspace) using SAML 2.0 or OIDC.
The IdP verifies the user’s identity and sends authentication information (a SAML assertion or OIDC token) to IAM Identity Center.
IAM Identity Center does NOT directly validate the authentication token. Instead:
1. For SAML federation, the IdP sends the SAML assertion to IAM Identity Center.
2. For OIDC federation, IAM Identity Center redirects users to the IdP’s authorization endpoint.
IAM Identity Center accepts the authentication response from the IdP and maps the user to an assigned permission set based on the user’s group or role mappings configured within IAM Identity Center.
IAM Identity Center grants access to AWS accounts and applications based on the permission set assigned.

IAM Identity Center vs. IAM Role-Based Federation

Feature

Federated Access via IAM Identity Center

Federated Access via IAM Roles

Management

Centralized via IAM Identity Center

Requires setting up IAM roles manually

Authentication

Supports SAML 2.0 & OIDC via external IdPs

Supports SAML 2.0 & OIDC via IAM roles

User Management

No IAM users needed, uses permission sets

Users assume IAM roles based on federation trust

Multi-Account Access

Yes (AWS Organizations)

No (Single account or manual setup required)

MFA Enforcement

Yes

No (Handled by IdP)

Best For

AWS Organizations & centralized SSO

Single account setups & custom federation

PreviousAWS Policies NextDirectory Service

Last updated 2 months ago

Why Use Federated Access

Eliminates the need to create IAM users in AWS.

Allows users to authenticate with corporate identity providers (IdPs) such as Azure AD, Okta, Google Workspace, and Ping Identity.

Provides Single Sign-On (SSO) to multiple AWS accounts and services.

Supports Multi-Factor Authentication (MFA) enforcement.

Federated Access via IAM Identity Center (Recommended)

IAM Identity Center (formerly AWS SSO) simplifies federated access for AWS multi-account environments.

Setup for IAM Identity Center Federated Authentication

Enable IAM Identity Center: Begin by turning on IAM Identity Center in the AWS Management Console. During setup, choose the identity source—either the default AWS directory (for manually managed users) or an external Identity Provider (IdP) such as Azure AD, Okta, or Google Workspace.

Configure IdP Federation: In your external IdP, set up SAML 2.0 or OIDC authentication to establish trust with AWS. Obtain the IAM Identity Center metadata file from AWS and upload it to the IdP. Define group claims in the IdP to send user group membership data during authentication.

Set Up SCIM for Automatic User and Group Provisioning (Optional): To automate user and group synchronization, enable SCIM provisioning in IAM Identity Center. Copy the SCIM endpoint URL and bearer token, then configure the IdP to automatically provision and update users and groups in IAM Identity Center.

Create IAM Identity Center Groups: IAM Identity Center does not pull groups from the IdP dynamically at login. Instead, groups must be manually created or synchronized via SCIM. These groups will be used to assign permissions within AWS.

Create Permission Sets: Define AWS access levels by creating Permission Sets in IAM Identity Center. These permission sets are similar to IAM policies and specify what actions users can perform in AWS.

Assign Groups to AWS Accounts: Map IAM Identity Center groups (not IdP groups) to AWS accounts. Assign the appropriate Permission Set to each group, granting users access to AWS resources based on their assigned group.

Federated Authentication

User authenticates via an external Identity Provider (IdP) (e.g., Azure AD, Okta, Google Workspace) using SAML 2.0 or OIDC.

The IdP verifies the user’s identity and sends authentication information (a SAML assertion or OIDC token) to IAM Identity Center.

IAM Identity Center does NOT directly validate the authentication token. Instead:

For SAML federation, the IdP sends the SAML assertion to IAM Identity Center.
For OIDC federation, IAM Identity Center redirects users to the IdP’s authorization endpoint.

IAM Identity Center accepts the authentication response from the IdP and maps the user to an assigned permission set based on the user’s group or role mappings configured within IAM Identity Center.

IAM Identity Center grants access to AWS accounts and applications based on the permission set assigned.

IAM Identity Center vs. IAM Role-Based Federation

Feature

Federated Access via IAM Identity Center

Federated Access via IAM Roles

Management

Centralized via IAM Identity Center

Requires setting up IAM roles manually

Authentication

Supports SAML 2.0 & OIDC via external IdPs

Supports SAML 2.0 & OIDC via IAM roles

User Management

No IAM users needed, uses permission sets

Users assume IAM roles based on federation trust

Multi-Account Access

Yes (AWS Organizations)

No (Single account or manual setup required)

MFA Enforcement

Yes

No (Handled by IdP)

Best For

AWS Organizations & centralized SSO

Single account setups & custom federation