For best results, use Amazon Cognito as your identity broker for almost all web identity federation scenarios. Amazon Cognito is easy to use and provides additional capabilities such as anonymous (unauthenticated) access, and synchronizing user data across devices and providers. However, if you have already created an app that uses web identity federation by manually calling the AssumeRoleWithWebIdentity API, you can continue to use it and your apps will still work.
Here are the basic steps to enable identify federation using one of the supported web IdPs:
- Sign up as a developer with the IdP and configure your app with the IdP, who gives you a unique ID for your app.
- If you use an IdP that is compatible with OIDC, create an identity provider entity for it in IAM.
- In AWS, create one or more IAM roles.
- In your application, authenticate your users with the public IdP.
- In your app, make an unsigned call to the AssumeRoleWithWebidentity API to request temporary security credentials.
- Using the temporary security credentials you get in the AssumeRoleWithWebidentity response, your app makes signed requests to AWS APIs.
- Your app caches the temporary security credentials so that you do not have to get new ones each time the app needs to make a request to AWS.
- For more detailed steps, see Using Web Identity Federation APIs for Mobile Apps.
