SAABlog
KOEN
SecurityAdvanced

AWS Identity Federation: When to Choose SAML, OIDC, or Cognito

Compare AWS Identity Federation methods including SAML 2.0, OIDC, and Cognito, and learn optimal selection criteria for each scenario.

PHILOLAMB-Updated: January 31, 2026
Identity FederationSAMLOIDCCognitoSTS

Related Exam Domains

  • Domain 1: Design Secure Architectures

Key Takeaway

Identity Federation allows access to AWS resources using external credentials (enterprise AD, social logins, etc.). For enterprise IdP (Active Directory), use SAML 2.0; for mobile/web app social logins, use Cognito; for multi-account SSO, use IAM Identity Center.

Exam Tip

Exam Essential: "Enterprise AD → SAML 2.0", "Mobile/Web social login → Cognito", "Multi AWS account SSO → IAM Identity Center"

What is Identity Federation?

A mechanism that allows users authenticated by external Identity Providers (IdP) to access AWS resources without separate IAM users.

Traditional Approach (Not Recommended):
Create IAM user for each external user → Credential management burden

Federation Approach (Recommended):
External IdP authentication → STS temporary credentials issued → Access AWS resources

Why Use Federation?

ReasonDescription
Enhanced SecurityNo need for IAM users/long-term credentials
Central ManagementManage users in existing IdP (AD, Okta, etc.)
Temporary CredentialsTime-limited tokens via STS
ComplianceConsistent application of enterprise security policies

Federation Types Comparison

TypeProtocolUse CaseSTS API
SAML 2.0SAMLEnterprise IdP (AD) → AWS Console/APIAssumeRoleWithSAML
Web Identity (OIDC)OIDCMobile/Web app social loginAssumeRoleWithWebIdentity
CognitoOIDC/SAMLMobile/Web apps (Recommended)Cognito SDK
Custom Identity BrokerCustomNon-SAML IdPsAssumeRole / GetFederationToken

SAML 2.0 Federation

Integrate AWS with enterprise Active Directory, Okta, ADFS, and other SAML 2.0 supporting IdPs.

How It Works

[User] → [Enterprise IdP (AD/ADFS)]
              │
              │  Issues SAML Assertion
              ▼
         [AWS STS]
              │  AssumeRoleWithSAML
              │  Returns temporary credentials
              ▼
         [Access AWS Resources]

AWS Console SSO Flow

1. User → Login to enterprise IdP portal
2. IdP → Creates SAML Assertion
3. Browser → Sends Assertion to AWS SSO endpoint
4. STS → AssumeRoleWithSAML → Temporary credentials
5. Redirect to AWS Console (login complete)

Configuration Components

ComponentDescription
IAM Identity ProviderRegister SAML IdP metadata
IAM RoleRole for federation (specify SAML provider in trust policy)
IdP ConfigurationRegister AWS as service provider

Exam Tip

SAML 2.0 Federation Keywords: "Enterprise Active Directory", "On-premises IdP", "AWS Console SSO", "ADFS" → Choose SAML 2.0

Web Identity Federation (OIDC)

Allow users authenticated by Google, Facebook, Amazon and other OIDC (OpenID Connect) providers to access AWS.

How It Works

[Mobile App] → [Social IdP (Google/Facebook)]
                    │
                    │  Issues ID Token (OIDC)
                    ▼
               [AWS STS]
                    │  AssumeRoleWithWebIdentity
                    │  Returns temporary credentials
                    ▼
               [S3, DynamoDB, etc.]

Direct Use vs Cognito

AspectDirect STS CallCognito (Recommended)
APIAssumeRoleWithWebIdentityCognito SDK
IdP ManagementHandle directlyCognito mediates
Anonymous AccessNot possiblePossible (Unauthenticated)
Multi-IdP IntegrationComplexSimple

Exam Tip

AWS Recommendation: For Web Identity Federation, use Amazon Cognito instead of calling STS directly.

Federation with Amazon Cognito

Cognito Components

┌──────────────────────────────────────────┐
│            Amazon Cognito                 │
│                                           │
│  ┌─────────────┐   ┌──────────────────┐  │
│  │ User Pool   │   │ Identity Pool    │  │
│  │ (AuthN)     │   │ (AuthZ)          │  │
│  │             │   │                  │  │
│  │ - Sign-up   │   │ - IAM role mapping│  │
│  │ - Login     │   │ - Temp credentials│  │
│  │ - JWT issue │   │ - Auth/Unauth roles│  │
│  └─────────────┘   └──────────────────┘  │
└──────────────────────────────────────────┘

User Pool vs Identity Pool

AspectUser PoolIdentity Pool
RoleAuthenticationAuthorization
ResultJWT token issuanceAWS temporary credentials
IdP IntegrationGoogle, Facebook, SAMLUser Pool, Social IdPs
Use CaseLogin/SignupDirect AWS resource access

Complete Flow

1. User → Login to Cognito User Pool (or Social IdP)
2. User Pool → Issues JWT token
3. JWT → Passed to Cognito Identity Pool
4. Identity Pool → Exchanges for temporary AWS credentials from STS
5. User → Direct access to S3, DynamoDB, etc.

Exam Tip

User Pool = Authentication (Login), Identity Pool = AWS credential issuance. This distinction is frequently tested on exams.

Custom Identity Broker

Method used when using legacy IdPs that don't support SAML 2.0.

[User] → [Legacy IdP]
               │
               ▼
      [Custom Identity Broker]  ← Develop yourself
               │
               │  Call AssumeRole or
               │  GetFederationToken
               ▼
          [AWS STS] → Returns temporary credentials
STS APIPurpose
AssumeRoleTemporary credentials for specific IAM role
GetFederationTokenTemporary credentials based on custom policy

Scenario-Based Selection Guide

Federation Method Selection:
        │
        ▼
Enterprise IdP (AD/Okta) for AWS Console SSO?
        │
       Yes → Multiple AWS accounts? ─ Yes → [IAM Identity Center]
        │                            No  → [SAML 2.0]
        No
        │
        ▼
Mobile/Web app user authentication?
        │
       Yes → [Amazon Cognito] (Recommended)
        │
        No
        │
        ▼
Non-SAML legacy IdP?
        │
       Yes → [Custom Identity Broker]

Key STS APIs Summary

APIUse Scenario
AssumeRoleCross-account access, EC2 roles
AssumeRoleWithSAMLSAML 2.0 Federation
AssumeRoleWithWebIdentityOIDC/Social IdP (Cognito recommended)
GetSessionTokenTemporary token with MFA
GetFederationTokenUsed by Custom Broker

SAA-C03 Exam Focus Points

  1. SAML 2.0: "Enterprise AD/ADFS → AWS Console SSO = SAML 2.0"
  2. Cognito Distinction: "User Pool = Authentication, Identity Pool = AWS credentials"
  3. Web Identity Recommendation: "Social login → Use Cognito (not direct STS)"
  4. Temporary Credentials: "Federation always uses temporary credentials via STS"
  5. Custom Broker: "Non-SAML IdP → Custom Identity Broker"

Exam Tip

Sample Exam Question: "On-premises Active Directory users need SSO access to AWS Console. How should this be configured?" → Answer: SAML 2.0 Federation (ADFS → AssumeRoleWithSAML)

Frequently Asked Questions (FAQ)

Q: What's the difference between SAML 2.0 and OIDC?

SAML 2.0 is XML-based and primarily used in enterprise environments (AD, ADFS). OIDC is JSON/JWT-based and suitable for mobile/web app social logins.

Q: Can I access AWS resources using only Cognito User Pool?

No. User Pool only issues JWT tokens. To directly access AWS resources (S3, DynamoDB, etc.), you need to get temporary AWS credentials through Identity Pool.

Q: What is the validity period of temporary credentials issued via Federation?

Default is 1 hour. AssumeRole can be set up to 12 hours, and GetFederationToken up to 36 hours.

Q: What's the difference between IAM Identity Center and direct SAML 2.0 integration?

IAM Identity Center centrally manages SSO for multiple AWS accounts. For single accounts, direct SAML integration is simpler, but IAM Identity Center is recommended for multi-account environments.

Q: Does Cognito support SAML?

Yes. Cognito User Pool can integrate with both SAML 2.0 and OIDC IdPs. You can manage enterprise users (SAML) and social login users (OIDC) in a single User Pool.

References