Assume that you want to provide a way for employees to copy data from their computers to a backup folder. You build an application that users can run on their computers. On the back end, the application reads and writes objects in an S3 bucket. Users don't have direct access to AWS. Instead, the following process is used:
- A user in your organization uses a client app to request authentication from your organization's IdP.
- The IdP authenticates the user against your organization's identity store.
- The IdP constructs a SAML assertion with information about the user and sends the assertion to the client app.
- The client app calls the AWS STS AssumeRoleWithSAML API, passing the ARN of the SAML provider, the ARN of the role to assume, and the SAML assertion from IdP.
- The API response to the client app includes temporary security credentials.
- The client app uses the temporary security credentials to call Amazon S3 API operations.
After you create the role, inform your SAML IdP about AWS as a service provider by installing the saml-metadata.xml file found at https://signin.aws.amazon.com/static/saml-metadata.xml. How you install that file depends on your IdP. Some providers give you the option to type the URL, whereupon the IdP gets and installs the file for you. Others require you to download the file from the URL and then provide it as a local file. Refer to your IdP documentation for details, or see Integrating Third-Party SAML Solution Providers with AWS for links to the web documentation for many of the supported SAML providers.
You also configure the information that you want the IdP to pass as SAML attributes to AWS as part of the authentication response. Most of this information appears in AWS as condition context keys that you can evaluate in your policies. These condition keys ensure that only authorized users in the right contexts are granted permissions to access your AWS resources. You can specify time windows that restrict when the console may be used. You can also specify the maximum time (up to 12 hours) that users can access the console before having to refresh their credentials.