# Web Identity Federation

* Federation allows users to authenticate with **Web Identity Provider** (Google, Facebook, etc).
* The user authenticates first with Web ID Provider and receives a token, which is exchanged for temporary AWS credentials allowing them to assume IAM role<br>
* **Cognito** is an **Identity Broker** which handles interaction between your applications and the Web ID Provider:
  * Provides sign up, sign in, and guest user access
  * Syncs user data for a seamless experience across your devices
  * Cognito is the AWS recommended approach for Web Identity Federation, particularly for mobile apps.
* Cognito uses **User Pools** to manage user sign up and sign in directly or via Web ID Provider
* Cognito acts as an Identity Broker, handling all interactions with Web ID Provider
* Cognito uses push synchronization to send a silent push notification of user data updates to multiple device types associated with a user ID.

**STS AssumeRoleWithWebIdentity**

* Part of STS (Security Token Service)
* Allows users who have authenticated with Web ID Provider to access AWS resources
* Once the user has authenticated, the application makes the '`assume-role-with-web-identity`' API call.
* If successful, STS will return temporary credentials enabling access to AWS resources
* AssumedRoleUser ARN and AssumedRoleID are used to programmatically reference the temporary credentials - not an IAM role or user.
* Mobile apps should use Cognito for federation instead of STS AssumeRoleWithWebIdentity