Concepts
Federation refers to the process of linking a user’s identity across multiple systems and providers, which enables users to access services using the same credentials. This not only streamlines the user experience but also enhances security by centralizing the management of identities. Key technologies that enable identity federation include Security Assertion Markup Language (SAML), OpenID Connect (OIDC), and Amazon Cognito.
Security Assertion Markup Language (SAML)
Security Assertion Markup Language (SAML) is an open standard that allows identity providers to pass authorization credentials to service providers. With SAML, users can authenticate once with their identity provider and then access multiple services without additional logins.
AWS and SAML:
AWS supports SAML 2.0, enabling federated Single Sign-On (SSO). This means that developers can configure their AWS accounts to trust a SAML identity provider (IdP), allowing users to access the AWS Management Console or call AWS APIs without AWS-specific credentials.
Example SAML Assertion:
<saml:Assertion …>
<saml:Subject>
<saml:NameID>john.doe@example.com</saml:NameID>
</saml:Subject>
…
<saml:AttributeStatement>
<saml:Attribute Name=”Role” …>
<saml:AttributeValue>arn:aws:iam::123456789012:role/Developer</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
The above snippet is an example of a SAML assertion where a user with the identifier ‘john.doe@example.com’ is granted a specific role within AWS.
OpenID Connect (OIDC)
OpenID Connect is another open standard like SAML but is built on top of the OAuth 2.0 protocol. It enables clients, such as web apps, to verify the identity of the user and to obtain basic profile information.
AWS and OIDC:
In AWS, an OIDC identity provider can be used to grant an IAM role to an identity so that they can make calls to AWS services. This is especially relevant when creating serverless applications with Amazon API Gateway or when deploying containerized applications that might need to access AWS resources.
Example OIDC Identity Token:
{
“sub”: “248289761001”,
“name”: “Jane Doe”,
“given_name”: “Jane”,
“family_name”: “Doe”,
“preferred_username”: “j.doe”,
“email”: “janedoe@example.com”,
…
}
The JSON object above represents a token that might be provided by an OIDC provider, containing user identity information including the email and username.
Amazon Cognito
Amazon Cognito is an AWS service that provides authentication, authorization, and user management for web and mobile applications. With Cognito, developers can create their own user directories (user pools), integrate with social and enterprise identity providers, and manage secure access to AWS resources.
Using Amazon Cognito with Federated Identities:
Cognito federated identities enable developers to create unique identities for users and federate them with identity providers, including Amazon, Facebook, Google, SAML-based providers, and even custom built-in user pools.
Example of Cognito User Pool Identity Provider Configuration:
{
“ProviderName”: “MySAMLProvider”,
“ProviderDetails”: {
“MetadataURL”: “https://idp.example.com/metadata”,
“IDPSignout”: “true”,
},
“AttributeMapping”: {
“email”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”,
“username”: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”
}
}
Comparison Table
Here is a comparative look at some key attributes of SAML, OIDC, and Amazon Cognito:
| Feature/Technology | SAML | OIDC | Amazon Cognito |
|---|---|---|---|
| Protocol/Standard | SAML 2.0 | OAuth 2.0, OIDC | Custom, OAuth 2.0, OIDC, SAML |
| Use Case | Web SSO | Identity layer on top of OAuth 2.0 | User Authentication, Federation & User Management |
| AWS Services Integration | AWS IAM | AWS IAM | AWS IAM, AppSync, API Gateway, etc. |
| Identity Providers | Various IdPs | Various IdPs | Amazon, Google, Facebook, SAML, User Pools |
| Mobile and Web Application | Less common | Widely used | Specifically designed for |
Identity federation is a key component in the AWS Certified Developer – Associate exam and understanding how to implement it using technologies such as SAML, OIDC, and Amazon Cognito is crucial. Each technology has its use cases and advantages, and often in an AWS environment, they are used in combination to provide a comprehensive identity solution for both users and developers.
Answer the Questions in Comment Section
True or False: SAML is used for exchanging authentication and authorization data between parties, specifically between an identity provider and a service provider.
- True
- False
Answer: True
Explanation: SAML (Security Assertion Markup Language) is an open standard that allows identity providers to pass authorization credentials to service providers.
Which of the following protocols allow for identity federation? (Select TWO)
- SMTP
- OpenID Connect
- FTP
- SAML
Answer: OpenID Connect, SAML
Explanation: OpenID Connect (OIDC) and SAML are both standards for identity federation, allowing secure authentication and sharing of identity information across different systems.
What AWS service provides identity federation with SAML 0?
- AWS IAM
- Amazon Cognito
- AWS Directory Service
- AWS SSO
Answer: AWS SSO
Explanation: AWS Single Sign-On (SSO) supports identity federation with SAML 0, enabling users to access AWS accounts and applications with a single set of credentials.
True or False: Amazon Cognito supports federation through social identity providers such as Google, Facebook, and Amazon.
- True
- False
Answer: True
Explanation: Amazon Cognito allows users to sign in through social identity providers like Google, Facebook, and Amazon, as well as through SAML and OIDC.
Which of the following is NOT a functionality of Amazon Cognito?
- User directory management
- Data synchronization across devices
- Running relational database services
- User authentication
Answer: Running relational database services
Explanation: Amazon Cognito provides user directory management, data synchronization, and user authentication but does not run relational database services.
True or False: Identity federation helps mitigate the risk of storing multiple usernames and passwords.
- True
- False
Answer: True
Explanation: Identity federation allows users to access multiple systems or applications using one set of credentials, reducing the need to store and manage multiple usernames and passwords.
In which scenario is it most appropriate to use Amazon Cognito?
- To increase your compute capacity in AWS
- To manage user authentication and authorization for your mobile or web applications
- To reduce your storage costs in AWS
- To optimize your AWS network infrastructure
Answer: To manage user authentication and authorization for your mobile or web applications
Explanation: Amazon Cognito is used for managing user authentication and authorization, making it suitable for mobile and web applications’ user management.
Which AWS service integrates with Directory Services for SAML 0 federation?
- AWS Lambda
- AWS IAM
- Amazon EC2
- AWS SSO
Answer: AWS SSO
Explanation: AWS SSO can be integrated with AWS Directory Services to establish SAML 0 federation for users.
True or False: OpenID Connect is based on OAuth
- True
- False
Answer: True
Explanation: OpenID Connect is an authentication layer on top of OAuth 0, an authorization framework that allows third-party services to perform actions on behalf of a user.
Amazon Cognito User Pools serve as:
- A managed database service to run SQL queries
- A virtual place to store files and data
- A user directory to manage app users and user sign-up and sign-in
- An email delivery service
Answer: A user directory to manage app users and user sign-up and sign-in
Explanation: Cognito User Pools serve as a user directory that provides sign-up and sign-in options for application users.
True or False: Using Cognito User Pools, an application can authenticate users directly to a user pool without going through an identity provider.
- True
- False
Answer: True
Explanation: Cognito User Pools allow for direct user authentication without the need for an external identity provider.
Which feature of OIDC allows access to user information via a simple RESTful HTTP request?
- Discovery documents
- Userinfo endpoint
- JSON Web Token (JWT)
- Access tokens
Answer: Userinfo endpoint
Explanation: The Userinfo endpoint in OIDC can be queried using a simple HTTP request to obtain claims about a user, typically after the user has authenticated.
Great post on identity federation and AWS! Really helped me understand the differences between SAML and OIDC.
Thanks for the detailed explanation on Amazon Cognito. It’s clearer now how it simplifies user authentication.
How would you handle SAML assertions in a microservices architecture?
I’m confused about the role of Amazon Cognito in the context of OIDC. Can somebody explain?
How scalable is SAML compared to OIDC?
Excellent guide! Helped me pass the ‘Identity’ section of my AWS Certified Developer – Associate exam.
Can AWS use both SAML and OIDC simultaneously?
I think the examples could be clearer.