The final option when creating a new role is the SAML 2.0 federation option, which allows you to create roles that have been federated through your own internal corporate directory.
This differs from web identity in the fact that the external authentication system is your own corporate directory of users, for example, your own Microsoft Active Directory (MSAD). Using the Lightweight Directory Access Protocol (LDAP), you can query MSAD as your authentication into your AWS account, again providing an SSO approach to your AWS environment.
Users authenticated in this way can then assume SAML 2.0 federation roles, allowing them to adopt permissions required to perform the required actions and tasks within your AWS account.
Again, there are a couple of prerequisites for using this option:
- Create a SAML provider within IAM.
- Ensure you have your policies configured – again, both a permission policy and a trusted identity policy.
Once you have...