Entra ID to AWS SAML Authentication Flow

Federated sign-in path from Microsoft Entra ID to AWS IAM role assumption

This diagram summarizes the lab SAML flow documented in the repository. It does not claim a production multi-account AWS IAM Identity Center rollout.

User

User opens AWS access pathBrowser starts the AWS SSO/SAML sign-in journey.

AWS

AWS redirects user to Microsoft Entra IDAWS trusts Entra ID as the configured SAML identity provider.

Entra ID

User authenticates and satisfies identity controlsCredential verification, MFA or Conditional Access would be evaluated here in production.

Entra ID

Signed SAML assertion is generatedAssertion includes user identity and AWS role ARN claim mapping.

Browser

Assertion is posted to AWS ACS endpointACS URL: https://signin.aws.amazon.com/saml

AWS IAM

AWS validates signature and trustIAM SAML provider uses Entra federation metadata and token signing certificate.

AWS STS

Federated role session is issuedUser assumes the EntraID-ReadOnly role without separate long-term AWS user credentials.

AWS Console

Access granted through federated roleCloudTrail validation and deprovisioning tests are listed as future evidence.

Reviewer Notes

Entra ID is the identity provider and AWS IAM is the service provider.
Access is centralized through Entra assignment and SAML role claim mapping.
AWS long-term user credentials are avoided for the federated console path.
Production assurance would require Conditional Access, deprovisioning, CloudTrail, and role governance evidence.