AssumeRoleWithSAML provides a set of temporary credentials for users authenticated with SAML authentication from an enterprise identity provider or directory service. The following figure shows the workflow for AssumeRoleWithSAML.
Figure 9. Workflow of AssumeRoleWithSAML
Before using AssumeRoleWithSAML, you must configure your SAML IdP, such as ADFS, to issue the claims required by ECS.
- An IAM role must be created that specifies this SAML provider in the trust policy.
- AssumeRoleWithSAML returns a set of temporary security credentials for users who have been authenticated through a SAML authentication response.
- This operation provides a mechanism for tying an enterprise identity store or directory to role-based access without user-specific credentials or configuration.
- Calling AssumeRoleWithSAML does not require the use of ECS security credentials. The identity of the caller is validated by the claims that are provided in the SAML Assertions by the identity provider.
- Temporary credentials consist of an access key ID, a secret access key, and a security token.
- The following condition keys are supported in the AssumeRolePolicyDocument:
- saml:aud
- saml:iss
- saml:sub
- saml:sub_type
- saml:edupersonorgdn
- saml:namequalifier