Create IAM users for each identity provider (IdP) user to allow access to the AWS environment.
Define assertions that map the company’s identity provider (IdP) users to IAM roles.
Create IAM roles with a trust policy that lists the SAML provider as the principal.
Create IAM users, place them in a group named SAML, and grant them necessary IAM permissions.
Grant identity provider (IdP) users the necessary IAM permissions to be able to log in to the AWS environment.
Explanations:
IAM users are not required for federated access via SAML 2.0, as the federated users are authenticated by the identity provider (IdP) and mapped to IAM roles.
Defining assertions that map IdP users to IAM roles is essential for SAML 2.0 configuration. These assertions allow the IdP to assign roles and permissions to users logging in via SAML.
Creating IAM roles with a trust policy that lists the SAML provider as the principal is necessary to allow AWS to trust the IdP and authorize federated access to the AWS environment.
IAM users and groups are not needed when using SAML 2.0 for federated access. Access is granted through roles based on SAML assertions, not individual IAM users or groups.
The IdP manages user authentication. IAM permissions are granted to IAM roles, not to IdP users directly. The IdP user is granted access based on role mappings through SAML assertions.