Cloud Identity Federation Cheat Sheet

Updated 2026-05-21

Next Topic: Cloud Load Balancing Cheat Sheet

Cloud identity federation is the practice of extending trust across organizational and cloud-platform boundaries so that users authenticate once — in their own identity provider — and gain access to resources across AWS, Azure, GCP, and SaaS applications without maintaining separate credentials in each system. It sits at the intersection of security architecture and user experience: done well, it eliminates credential sprawl and accelerates onboarding; done poorly, it creates invisible blast radii where a single compromised signing certificate unlocks every federated application at once. The critical mental model is that federation shifts risk from password hygiene to trust-relationship integrity — your attack surface is now your IdP signing keys, your role trust policies, and your claim validation logic, not individual passwords.

What This Cheat Sheet Covers

This topic spans 17 focused tables and 129 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: Federation Protocols ComparedTable 2: Identity Provider PatternsTable 3: SAML 2.0 Core ConceptsTable 4: OIDC Core Concepts and FlowsTable 5: SCIM Provisioning and Lifecycle ManagementTable 6: AWS Federated Access PatternsTable 7: Azure / Entra ID Federation PatternsTable 8: GCP Workforce and Workload Identity FederationTable 9: CI/CD and Workload Identity Federation (Keyless Auth)Table 10: Multi-Factor Authentication and Step-Up Auth in FederationTable 11: Session Management and Token LifetimesTable 12: Security Attacks, Misconfigurations, and Audit GapsTable 13: Identity Governance and Access Reviews for Federated IdentitiesTable 14: B2B and B2C Identity PatternsTable 15: Cross-Cloud and Multi-Cloud Federation PatternsTable 16: Claim Transformations and Attribute MappingTable 17: Common Misconfigurations and Hardening Checklist

Table 1: Federation Protocols Compared

The three major federation protocols — SAML 2.0, OpenID Connect, and WS-Federation — cover different eras and use cases of enterprise identity. Choosing the wrong protocol forces workarounds; knowing when each one still applies is one of the most practical decisions in identity architecture.

Protocol	Example	Description
SAML 2.0	`<samlp:AuthnRequest>` `Destination="https://idp.example.com/sso/saml"` `AssertionConsumerServiceURL=` `"https://sp.example.com/acs"/>`	XML-based open standard for browser SSO; uses signed assertions with three statement types: AuthnStatement, AttributeStatement, and AuthzDecisionStatement; dominates enterprise SaaS (Slack, Salesforce, Zoom).
OIDC (OpenID Connect)	`GET /authorize?response_type=code` `&client_id=CLIENT_ID` `&redirect_uri=https://app.example.com/cb` `&scope=openid+email+profile`	Lightweight identity layer on OAuth 2.0; uses JSON Web Tokens (JWTs) instead of XML; preferred for modern, API-first, and mobile applications; becoming dominant in cloud-native and CI/CD federation.
WS-Federation	`GET /adfs/ls/?wa=wsignin1.0` `&wtrealm=https://app.example.com` `&wctx=session%3Dabc123`	Microsoft-origin protocol for browser-based SSO (Passive Requestor Profile); underpins legacy SharePoint, Exchange, and ASP.NET apps built on Windows Identity Foundation; still in wide use in hybrid Microsoft environments.

Table 1: Federation Protocols Compared

Protocol	Example	Description
SAML 2.0	`<samlp:AuthnRequest>` `Destination="https://idp.example.com/sso/saml"` `AssertionConsumerServiceURL=` `"https://sp.example.com/acs"/>`	XML-based open standard for browser SSO; uses signed assertions with three statement types: AuthnStatement, AttributeStatement, and AuthzDecisionStatement; dominates enterprise SaaS (Slack, Salesforce, Zoom).
OIDC (OpenID Connect)	`GET /authorize?response_type=code` `&client_id=CLIENT_ID` `&redirect_uri=https://app.example.com/cb` `&scope=openid+email+profile`	Lightweight identity layer on OAuth 2.0; uses JSON Web Tokens (JWTs) instead of XML; preferred for modern, API-first, and mobile applications; becoming dominant in cloud-native and CI/CD federation.
WS-Federation	`GET /adfs/ls/?wa=wsignin1.0` `&wtrealm=https://app.example.com` `&wctx=session%3Dabc123`	Microsoft-origin protocol for browser-based SSO (Passive Requestor Profile); underpins legacy SharePoint, Exchange, and ASP.NET apps built on Windows Identity Foundation; still in wide use in hybrid Microsoft environments.