Considering User Federation
It is only natural for organizations to want to reuse their existing IdPs to give their workforce, customers, or partners access to AWS without having to create and manage a separate set of identities on AWS. This avoids multiplying long-lived security credentials unnecessarily and, as such, limits the security risks. You can leverage either AWS Single Sign-On (AWS SSO) or AWS IAM to enable user federation depending on the use case.
AWS SSO is well suited for cases where you want to establish user federation across multiple AWS accounts and leverage your existing corporate or a third-party IdP. You can then assign permissions to your users based on their group membership in your IdP’s directory and control access by modifying users and groups on your IdP. You can also implement ABAC, whether via the user information synchronized with your IdP via System for Cross-domain Identity Management (SCIM) or by passing user attributes in Security Assertion...
