> For the complete documentation index, see [llms.txt](https://notebook.iuriioapps.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://notebook.iuriioapps.com/cloud/aws/security_and_compliance/web-identity-federation.md).

# Web Identity Federation

* Federation allows users to authenticate with **Web Identity Provider** (Google, Facebook, etc).
* The user authenticates first with Web ID Provider and receives a token, which is exchanged for temporary AWS credentials allowing them to assume IAM role<br>
* **Cognito** is an **Identity Broker** which handles interaction between your applications and the Web ID Provider:
  * Provides sign up, sign in, and guest user access
  * Syncs user data for a seamless experience across your devices
  * Cognito is the AWS recommended approach for Web Identity Federation, particularly for mobile apps.
* Cognito uses **User Pools** to manage user sign up and sign in directly or via Web ID Provider
* Cognito acts as an Identity Broker, handling all interactions with Web ID Provider
* Cognito uses push synchronization to send a silent push notification of user data updates to multiple device types associated with a user ID.

**STS AssumeRoleWithWebIdentity**

* Part of STS (Security Token Service)
* Allows users who have authenticated with Web ID Provider to access AWS resources
* Once the user has authenticated, the application makes the '`assume-role-with-web-identity`' API call.
* If successful, STS will return temporary credentials enabling access to AWS resources
* AssumedRoleUser ARN and AssumedRoleID are used to programmatically reference the temporary credentials - not an IAM role or user.
* Mobile apps should use Cognito for federation instead of STS AssumeRoleWithWebIdentity


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://notebook.iuriioapps.com/cloud/aws/security_and_compliance/web-identity-federation.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.