What is Identify federation in AWS?
Identity federation — is a system of trust between two parties for the purpose of authenticating users and conveying the information needed to authorize their access to resources. In this system, an identify provider(IdP) is responsible for user authentication, and a service provider(SP), such as a service or an application, control access to resources. By administrative agreement and configuration, the SP trusts the IdP to authenticate users and relies on the information provided by the IdP about them. After authenticating a user, the IdP sends the SP a message, called an assertion, containing the user’s sign-in name and other attributes that the SP needs to establish a session with the user and to determine the scope of resources accessible that the SP should grant. Federation is a common approach to building access control systems that manage users centrally within a central IdP and govern their access to multiple applications and services acting as SPs.
AWS offers distinct solutions for generating your employees, contractor, and partners(workforce) to AWS accounts and business applications, and for adding federation support to your customer-facing web and mobile applications. AWS supports commonly used open identify standards, including Security Assertion Markup Language 2.0 (SAML 2.0), Open ID Connect(OIDC), and Oauth 2.0.
