Skip to main content
Skip to main content
Still in beta — questions, comments or suggestions? aramb@aramb.dev
Cloud Fundamentals

Customer Identity and Federated Access

Understand federated identity concepts, Amazon Cognito for app users, and the differences between SAML for workforce and OIDC for customer identity.

18 min
Intermediate
Learning Outcomes

By the end of this lesson, you will be able to:

  • Choose between workforce, customer, and enterprise identity services
  • Explain the difference between SAML and OIDC/OAuth protocols
  • Distinguish Cognito User Pools from Identity Pools
  • Design a federated identity architecture for common scenarios

The identity decision framework

AWS offers multiple identity services. Choosing the right one depends on who needs access and what they need to access.

Workforce → IAM Identity Center

  • Employees accessing AWS accounts
  • Single sign-on across multiple accounts
  • SAML 2.0 protocol standard

App Users → Amazon Cognito

  • Customers using your mobile/web app
  • Millions of potential users
  • OIDC/OAuth 2.0 protocol standard

Enterprise Directory → AWS Directory Service

  • Existing Active Directory infrastructure
  • Need managed domain controllers
  • Windows workloads in AWS

What is federated identity?

Federation means using an external identity provider instead of managing credentials in AWS. Your users sign in with credentials they already have.

Mental model

Federation lets you use existing corporate credentials or social logins instead of creating new passwords.

ProtocolTypical UseAWS Service
SAML 2.0Enterprise single sign-onIAM Identity Center (workforce)
OIDC/OAuth 2.0Web and mobile applicationsAmazon Cognito (app users)

SAML is the enterprise standard — used by workforce identity providers like Okta, Azure AD, and Ping Identity.

OIDC (OpenID Connect) is the modern web standard — used by social logins (Google, Facebook, Apple) and developer-friendly identity flows.

Amazon Cognito deep dive

Cognito handles identity for application users — the people using your software, not your employees.

01

Cognito User Pool

Meaning

A user directory that handles sign-up, sign-in, and profile management for your application. Acts as an OIDC identity provider.

Examples

A fitness app where users create profiles, track workouts, and share achievements

When it's ideal: Use when you need users to create accounts in your app or sign in with social providers

02

Cognito Identity Pool

Meaning

A credential broker that exchanges federated identity tokens for temporary AWS credentials. Grants direct access to AWS resources.

Examples

A photo sharing app that lets users upload directly to S3 without server intermediaries

When it's ideal: Use when app users need direct access to S3, DynamoDB, or other AWS services from the client

Cognito architecture

Federation comparison

Workforce vs Customer Identity

Comparing IAM Identity Center (workforce) with Amazon Cognito (app users)

Protocol
Workforce (Identity Center): SAML 2.0
Customer (Cognito): OIDC / OAuth 2.0
Identity source
Workforce (Identity Center): Corporate IdP, Directory Service
Customer (Cognito): Social IdPs, SAML, OIDC
AWS access
Workforce (Identity Center): Permission sets → IAM roles
Customer (Cognito): Identity pools → temporary credentials
Typical scale
Workforce (Identity Center): Hundreds to thousands of users
Customer (Cognito): Thousands to millions of users
Use case
Workforce (Identity Center): Employees accessing AWS accounts
Customer (Cognito): App users accessing app resources

Common pitfalls

Warning

Using identity pools when user pools suffice — If your app only needs authentication (proving who the user is), use User Pools alone. Identity Pools are for when users need direct AWS resource access.

Warning

Over-permissioned identity pool roles — The IAM role associated with an identity pool often grants broad S3 or DynamoDB access. Use IAM conditions to scope access to user-specific resources (e.g., prefix by user ID).

Warning

Confusing user pool federation with identity pool federation — User Pools can federate with external IdPs for sign-in. Identity Pools federate to get AWS credentials. They serve different purposes and can be used together or separately.

Decision framework summary

Choose Identity Center when

  • Workforce access to AWS accounts
  • Multiple AWS accounts to manage
  • SAML-based enterprise integration

Choose Cognito when

  • Application users (mobile/web)
  • Social sign-in or custom accounts
  • Direct AWS resource access from clients

When to use both: Large organizations often use Identity Center for workforce AWS access AND Cognito for customer-facing applications. They are complementary, not competing.

Summary

  • Federated identity uses external credentials instead of AWS-native passwords
  • SAML is the enterprise protocol for workforce access
  • OIDC/OAuth is the modern protocol for application users
  • Cognito User Pools handle sign-up, sign-in, and tokens for app users
  • Cognito Identity Pools exchange tokens for temporary AWS credentials
  • Identity Center is for workforce; Cognito is for customers

Quiz

Knowledge Check
1 / 4

A mobile app wants to offer 'Sign in with Google' for its users. Which service should it use?