How should the SAML assertion mapping be configured?
Map the group attribute to an AWS group. The AWS group is assigned IAM policies that govern access to AWS resources.
Map the policy attribute to IAM policies the federated user is assigned to. These policies govern access to AWS resources.
Map the role attribute to an AWS role. The AWS role is assigned IAM policies that govern access to AWS resources.
Map the user attribute to an AWS user. The AWS user is assigned specific IAM policies that govern access to AWS resources.
Explanations:
In SAML-based federation with AWS, the group attribute is not directly mapped to an AWS group. AWS IAM does not use groups in the same way as SAML groups. Instead, roles are used to map users to permissions.
The policy attribute is not used to directly map IAM policies to federated users. Policies are generally associated with roles, not user attributes.
The role attribute in a SAML assertion should be mapped to an AWS IAM role. This role is associated with IAM policies that control the federated user’s access to AWS resources.
AWS does not map the user attribute in a SAML assertion directly to an IAM user. Federated access relies on roles, not IAM users, for granting permissions.