All news with #federation tag

🔐 This post introduces the new inbound federation Lambda trigger for Amazon Cognito, which intercepts external IdP responses so you can transform, filter, and enrich attributes before a user profile is created. It explains how the trigger receives SAML and OIDC attributes, and outlines common B2B and B2C problems such as oversized group lists and duplicate accounts from different social sign-ins. The article shows how to normalize group attributes, filter excessive data, and implement automated account linking to maintain a single primary identity. It also covers performance and error-handling best practices for Lambda functions.

🔐 AWS Security Token Service (STS) now validates select identity-provider-specific claims from Google, GitHub, CircleCI, and Oracle Cloud Infrastructure for OIDC federation via the AssumeRoleWithWebIdentity API. You can reference these custom claims as condition keys in IAM role trust policies and resource control policies to enforce finer-grained access control and establish data perimeters. This enhancement builds on IAM's OIDC federation capabilities and is available in all AWS Commercial Regions.

🔐 Amazon Cognito introduces inbound federation Lambda triggers that let you transform and customize federated user attributes during authentication. You can modify responses from external SAML and OIDC providers — adding, overriding, or suppressing attributes — before they are stored in your user pool to avoid issues such as Cognito's 2,048-character limit per attribute. The trigger is available via hosted UI (classic) and managed login in all AWS Regions and is configurable through the Console, CLI, SDKs, CDK, or CloudFormation.

🔐 Federated Identity Management (FIM) enables a single authentication to span multiple applications or organizations, letting users sign in once and reuse identity assertions across services. It improves user experience and resilience while introducing architectural complexity, potential vendor lock-in, and additional service costs. Implementations commonly rely on cloud identity providers such as Google, Microsoft, or Okta and use protocols like SAML, OAuth 2.0, and OpenID Connect.