0PricingLogin
AWS Security Academy · Lesson

SAML, OIDC, and Web Identity Federation

Connect external identity providers and app logins to AWS.

What Federation Means

Federation lets identities defined outside AWS sign in and receive AWS permissions without ever having an IAM user.

An external identity provider (IdP) vouches for the user, and AWS trusts that assertion to issue temporary credentials. This avoids duplicating accounts and keeps the source of truth in your existing directory.

SAML 2.0 Federation

SAML (Security Assertion Markup Language) 2.0 is the classic standard for enterprise federation.

  • You register the IdP in IAM as a SAML identity provider.
  • The IdP sends a signed assertion after the user logs in.
  • AWS exchanges it via STS for temporary role credentials.

It is common with Active Directory Federation Services and similar corporate IdPs.

All lessons in this course

  1. Single Sign-On with IAM Identity Center
  2. SAML, OIDC, and Web Identity Federation
  3. Cross-Account Roles and Resource Policies
  4. Auditing Sharing with IAM Access Analyzer
← Back to AWS Security Academy