Secure Token Service (STS)
- Request temporary, limited-privilege credentials for IAM or federated users
- Identity federation
- User logs in with un/pw
- Credentials given to identity broker (IB)
- IB validates against identity store, e.g., Active Directory
- If valid, IB contacts STS
- STS issues access key, secret key, and session token
- User uses these to login to AWS Console or CLI
- SAML
- User opens identity provider (IdP) login page, enters un/pw, selects appropriate application
- IdP validates credentials and permissions, returns user SAML assertion
- User POSTs assertion to SaaS application, service provider validates assertion
- Service provider creates temporary credentials and returns to user
