| Note |
|---|
A note about this example, it’s a little out of date. The modern version of the IdP allows much of the flow machinery and files to be embedded inside the extension jar to auto-register itself, but the example uses the old “manual” way of adding a flow to the system. |
Most of Amazon's AWS services use a proprietary security model that relies on the use of either AWS-managed user accounts and password, or a model where external tokens using technologies like SAML or OAuth are exchanged for "temporary credentials" that are used to secure AWS API calls. One of the "unsecured" APIs in the AWS STS is called AssumeRoleWithSAML and is the core API for trading a SAML Response message issued by a trusted IdP for temporary credentials that operate in a particular AWS role. This is the API used internally by the AWS web console to allow federated access but anything can call it.
...