AWS
https://aws.amazon.com/blogs/security/how-to-establish-federated-access-to-your-aws-resources-by-using-active-directory-user-attributes/ In the preceding diagram: An AD user (let’s call him Bob ) browses to the AD FS sample site ( https:// Fully.Qualified.Domain.Name.Here /adfs/ls/IdpInitiatedSignOn.aspx ) inside this domain. The sign-in page authenticates Bob against AD. If Bob is already authenticated or using a domain joined workstation, he also might be prompted for his AD user name and password. Bob ’s browser receives a SAML assertion in the form of an authentication response from AD FS. Bob ’s access is authorized based on his AD group membership or on AD user attributes configured on his account. Bob ’s browser automatically posts the SAML assertion to the AWS sign-in endpoint for SAML ( https://signin.aws.amazon.com/saml ). The endpoint uses the AssumeRoleWithSAML API to request temporary security credentials and then constructs a sign-in URL for the