SAML 2.0 is an open standard. This standard is used by many identity providers. AWS supports SAML 2.0, and we can federate users from IdP into AWS using SAML 2.0.

Since AWS supports federation with IdP using SAML 2.0, we can use the single sign-on feature to log in to AWS and use the AWS resources, or we can access the resources via the AWS APIs. This can be done without having to create users in AWS. This simplifies the administrative tasks, since we don't need to create for all users in our organization in AWS.

In the following diagram, we provide you with an example of how an SAML 2.0-based federation works:

Let's assume that we want the users in our organization to back up their laptop data every day, into a particular bucket in Simple Storage Service (S3). To access S3, the user must have the required permission. A standard method would be to create a user in AWS and provide the permission to the user to access S3. Instead, we now use Identity Federation to ensure that the user can access the S3 bucket without us having to create a user in AWS.

We can outline the steps that enable this to happen as follows:

1. A laptop user in your organization uses an app to authenticate themselves with the organization's IdP.
2. The user is authenticated by the IdP.
3. The IdP constructs an SAML assertion with info about the user and sends it back to the app.
4. The app now contacts the AWS Simple Token Service (STS), passing this assertion along with other data, such as the identity of the IdP, and so on.
5. The STS responds to the app with temporary credentials.
6. Using these temporary credentials, the app now calls the S3 API, which enables the user to store data in an S3 bucket.

Federated users can not only use the API, but can also log in to the AWS Console using the corporate directory. The following diagram provides the details:

The following are the steps that are taken to log in to the AWS Console using a federated user:

1. Typically, an organization will have its own portal, in which it will provide an option for the user to log in to the AWS Console.
2. The user will input their credentials (the username and login, as per the corporate directory) into this portal.
3. The credentials will then be verified against the corporate directory.
4. An SAML assertion will be returned by the IdP.
5. The portal will send the assertion, along with the user data, to the client browser.
6. The browser will now be redirected to an AWS Single Sign-On (SSO) endpoint, and the SAML assertion will be posted here.
7. The endpoint will then communicate with AWS STS on the behalf of the user and obtain temporary credentials and a sign-in URL that uses those credentials.
8. The sign-in URL will then be sent back to the client browser.
9. The client browser will then be redirected to the AWS Management Console.