What is Identity Federation?


Course Introduction
Course Conclusion
What is Identity Federation?

Please note: this course has now been replaced with Using AWS Identity Federation to Simplify Access at Scale, which can be found here.


AWS Identity Federation is the concept of using external authorization sources to permit access to AWS Console and AWS Resources. Identity Federation comes in multiple levels that enable the use of existing directories or SAML to ensure users are accredited and authenticated to access AWS.

Intended audience

  • AWS Administrators
  • Security Engineers
  • Security Architects


  • You should review the Identity and Access Management Course
  • Have an understanding of Enterprise Identity technology such as Active Directory, LDAP; and some Open Identity Providers such as Google, Facebook, Twitter, or Amazon.

Learning Objectives

  • Understand what is Identity Federation as it relates to AWS Console Access.
  • Demonstrate the ability to set up and use Cross-Account Roles
  • Demonstrate the ability to use Simple AD for IAM authorization with Cross Account Roles
  • Understand the concepts of SAML Determine how SAML could be used for AWS Console Authorization

This Course Includes

  • 45 minutes of high-definition video
  • Live demonstration on key course concepts

What You'll Learn

  • Course Intro: What to expect from this course
  • What is Identity Federation?: This lesson defines the purpose and uses of Identity Federation
  • Types of Identity Federation: In this lesson, we’ll discuss the different ways it is used within AWS
  • Identity Federation Demos: In this lesson, we’ll walk through how to setup both Cross Account Roles using IAM User ids and using Simple AD for Authentication with Cross Account Roles
  • Course Conclusion: A wrap-up and review of the course

Now back to the course and what is Identity Federation. Identity Federation is a method that uses an existing authentication solution to grant access and authorization to another solution without recreating user IDs and having multiple passwords to remember.

There are several types of authentication and several technologies that can be used to authenticate between independent solutions with a common and centralized authority source. Identity Federation comes in many forms, but the objective and functions is pretty much the same. Use a central directory to maintain user IDs and passwords that can grant access to an independent solution without having to have multiple user stores.

The most common purpose for an Identity Federation is to grant or revoke user access from a single location to multiple services. This way, a user can come and go from your organization. You do not have to administer the user accounts and authorization in every single system that you have in your enterprise. AWS is simply an extension of your enterprise and should be treated as such so that you can control access to your new infrastructure services at AWS from a single federated source. The concept of Identity Federation is common and there are several underlying technologies that can be used to achieve this authorization from a single central location.

Now, what Identity Federation enables is single sign on, also commonly referred to as SSO. This means that user management and user authentication would happen against a single identity store and the authentication identity will determine the level of access the identity will have. So with SSO, you can use standard tools to create and manage user IDs. Examples include AWS Simple AD, Microsoft Active Directory, and LDAP, a few of the most common directories and on top of these directories are tools and applications that can create SAML, Security Assertion Markup Language, to extend Active Directory to the web in effect provide a layer between the AD server and the internet. The layer enables SAML 2.0, the open standard for authentication between services, and can provide a broker between multiple services in a single common authentication source.

Now, this part is very important and this is a key takeaway from this course. AWS Identity Federation connects external users to AWS via the IAM role that is set up to permit access. From this role, the user can access what is permitted by that role at AWS. The external identity provider authenticates the user. The AWS account IAM roles authorizes the user to perform operations against the AWS account's resources. There are two distinct phases, authentication with the SSO source and authorization provided by the AWS Identity Access Management Role assigned to that user.


About the Author

Tom an active AWS Consultant creating and deploying AWS solutions for over five years. He has worked on numerous projects that involve everything from small lean startups on a tight budget to massive commercial Enterprises that have large-scale budgets with large-scale requirements that must be met even no matter the cost. Tom has worked for several of our United States government agencies taking the agencies to the cloud by migrating solutions from on-premise data centers to the AWS cloud in a secure solution while reducing their overall cost to operate and maintain the solution.

Personally Tom spends his available time riding his bicycle, sampling a good wine or two, enjoying a good meal and watching Formula One races.