Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.
3.4.1.2. Identity Federation Techniques (IAM Identity Providers, AWS IAM Identity Center)
3.4.1.2. Identity Federation Techniques (IAM Identity Providers, AWS SSO/IAM Identity Center)
Federation eliminates IAM users for people — users authenticate with corporate credentials and get temporary AWS credentials.
| Method | Protocol | Use Case |
|---|---|---|
| IAM Identity Center (SSO) | SAML 2.0 / OIDC | Central access to multiple accounts |
| SAML 2.0 federation | SAML | Direct federation with AD/ADFS |
| OIDC federation | OpenID Connect | Web/mobile via Cognito |
| Custom identity broker | STS API | When SAML/OIDC unavailable |
IAM Identity Center (recommended):
- Single sign-on portal for all AWS accounts
- Permission sets define access per account
- Integrates with Active Directory, Okta, Azure AD
# Create a permission set with developer access
aws sso-admin create-permission-set \
--instance-arn "arn:aws:sso:::instance/ssoins-1234" \
--name "DeveloperAccess" --session-duration "PT8H"
aws sso-admin attach-managed-policy-to-permission-set \
--instance-arn "arn:aws:sso:::instance/ssoins-1234" \
--permission-set-arn "arn:aws:sso:::permissionSet/ssoins-1234/ps-5678" \
--managed-policy-arn "arn:aws:iam::aws:policy/PowerUserAccess"
SAML flow: User → Corporate IdP (authenticate) → SAML assertion → STS AssumeRoleWithSAML → Temporary credentials → AWS access.
Exam Trap: IAM Identity Center permission sets create IAM roles in each target account. Session duration is controlled by the permission set (max 12 hours), not the IAM role's max session duration. If the exam asks about extending SSO session time, modify the permission set, not the role.
Written byAlvin Varughese•Founder•15 professional certifications