AWS-SCS-C02 & AWS CERTIFICATION | Federation and Single Sign-On (SSO) - AWS Certified Security

2.1.3. Federation and Single Sign-On (SSO)

First Principle: Federation and Single Sign-On (SSO) enable secure AWS login using existing corporate identities, centralizing identity management, simplifying access, and enhancing security posture across multiple accounts.

Managing distinct identities across various systems (especially in large enterprises with multiple AWS accounts) introduces complexity and security risks. Federation and SSO simplify this by allowing users to use their existing corporate credentials to access AWS.

Key Concepts of Federation and SSO:

Federation:
- Concept: Allows users to use credentials from an external identity system (identity provider - IdP) to access AWS.
- Mechanism: When a user authenticates with their IdP, they receive an assertion (e.g., SAML 2.0) that AWS Security Token Service (STS) uses to issue temporary AWS credentials associated with an IAM role.
- Benefits: No need to create separate IAM users in AWS for every employee, reduces credential sprawl, leverages existing enterprise security policies.
Single Sign-On (SSO):
- Concept: Allows users to log in once and gain access to multiple independent software systems without being prompted to log in again.
- AWS IAM Identity Center (SSO): A fully managed service that helps you centrally manage access to multiple AWS accounts and business applications from a single sign-on portal.
- Benefits: Simplifies user experience, streamlines multi-account governance, improves security by enforcing MFA and centralizing access control.

Scenario: A large enterprise needs to allow its employees to access multiple AWS accounts and various SaaS applications (e.g., Salesforce) using their existing on-premises Active Directory credentials. They want a unified login experience and centralized access management.

Reflection Question: How do federation and Single Sign-On (SSO) (e.g., using AWS IAM Identity Center) fundamentally enable secure AWS login using existing corporate identities, centralizing identity management, simplifying access, and enhancing the overall security posture across multiple accounts?