{"id":2998,"date":"2019-03-07T22:39:49","date_gmt":"2019-03-07T21:39:49","guid":{"rendered":"http:\/\/miro.borodziuk.eu\/?p=2998"},"modified":"2019-09-02T23:29:43","modified_gmt":"2019-09-02T21:29:43","slug":"identity-federation","status":"publish","type":"post","link":"http:\/\/miro.borodziuk.eu\/index.php\/2019\/03\/07\/identity-federation\/","title":{"rendered":"Identity Federation"},"content":{"rendered":"<p><span style=\"color: #3366ff;\">Identity federation<\/span> (<strong>IDF<\/strong>) is an architecture where identities of an external <strong>identity provider<\/strong> (<strong>IDP<\/strong>) are recognized. <strong>Single sign-on<\/strong> (SSO) is where the credentials of an external identity are used to allow access to a local system (e.g., AWS).<\/p>\n<p><!--more--><\/p>\n<p>Types of IDF include:<\/p>\n<ul>\n<li><strong>Cross-account<\/strong> roles: A remote account (IDP) is allowed to assume a role and access your account&#8217;s resources.<\/li>\n<li><strong>SAML<\/strong> 2.0 IDF: An on-premises or AWS-hosted directory service instance is configured to allow Active Directory users to log in to the AWS console.<\/li>\n<li><strong>Web Identity Federation<\/strong>: IDPs such as Google, Amazon, and Facebook are allowed to assume roles and access resources in your account.<\/li>\n<\/ul>\n<p>Cognito and the Secure Token Service (STS) are used for IDF. A federated identity is verified using an external IDP and by proving the identity (using a token or assertion of some kind) is allowed to swap that ID for temporary AWS credentials by assuming a role.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-2996 aligncenter\" src=\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/SAML.jpg\" alt=\"\" width=\"601\" height=\"765\" srcset=\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/SAML.jpg 601w, http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/SAML-236x300.jpg 236w\" sizes=\"(max-width: 601px) 100vw, 601px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-2997 aligncenter\" src=\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/WIF.jpg\" alt=\"\" width=\"606\" height=\"756\" srcset=\"http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/WIF.jpg 606w, http:\/\/miro.borodziuk.eu\/wp-content\/uploads\/WIF-240x300.jpg 240w\" sizes=\"(max-width: 606px) 100vw, 606px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p><strong>Federation:<\/strong> Providing a non-AWS user temporary AWS access by linking that user&#8217;s identity across multiple identity systems<\/p>\n<p>Federation with Third-Party Providers:<\/p>\n<ul>\n<li>Most commonly used in web and mobile applications<\/li>\n<li>Amazon Cognito allows for creation of unique identities for users<\/li>\n<li>Uses identity providers to federate them Facebook, Google, Amazon, etc.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>Establishing Single Sign-On (SSO) Using SAML 2.0:<\/p>\n<ul>\n<li>Most commonly used in enterprise environments with an existing directory system Active Directory, etc.<\/li>\n<li>Federated users can access AWS resources using their corporate domain accounts<\/li>\n<li>Federation also aids user management by allowing central management of accounts<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Identity federation (IDF) is an architecture where identities of an external identity provider (IDP) are recognized. Single sign-on (SSO) is where the credentials of an external identity are used to allow access to a local system (e.g., AWS).<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[74],"tags":[],"_links":{"self":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/2998"}],"collection":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/comments?post=2998"}],"version-history":[{"count":3,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/2998\/revisions"}],"predecessor-version":[{"id":3001,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/2998\/revisions\/3001"}],"wp:attachment":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/media?parent=2998"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/categories?post=2998"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/tags?post=2998"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}