If this directory was based on AD, could Identity Broker have used AssumeRoleWithSAML against STS?
I’m trying to figure out what are the use cases of using GetFederationToken instead of AssumeRoleWithSAML
In my understanding it’s because you don’t have a token from the ID Provider yet, AssumeRoleWithSAML needs you to pass a token coming from AD. Maybe someone can confirm/deny this. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
GetFederationToken and AssumeRole. Both return a set of temporary security credentials, but they differ in how permissions associated with the temporary security credentials are derived. Both are called by the Application.
GetFederationToken requires an IAM user or root. The resulting permissions inherit the permissions of the caller, scoped down by the optional permissions attached in the request
AssumeRole sessions derive their permissions from the role policies that you’ve pre-defined, (once again scoped down by the optional permissions attached in the request). An IAM user or another role with permissions to call AssumeRole can assume a role