- AWS can talk SAML2.0 from external IdPs if the SAML Assertion to be send to AWS is correct then AWS provides temporal AWS Creds (AWS STS)
- AD Federated users -> AWS SSO -> Dropbox, Slack, Salesforce… or SAML Apps
- AD endpoints injected in a VPC via ENIs
- Uses an existing on-prem AD
- Multiple AD connections to speed and distribute load
- Requieres at least 2 subnets
- Supports network to VPN or Direct Connect
- Ideally works as PoC or backup for a Direct Connect
- Nothing is stored or acched, it just redirects AD traffic to on-prem AD servers
- Network becomes a single point of failure
- Microsoft 2012 R2
- Managed using standard AD Tools
- Standard: 30k users, Enterprise: 5000k Users
- Radius-base MFA support
- By default support HA
- Support 1-way or 2-way trust (with on-prem)
- Supports AD Native scheme extensions