Many organizations need or desire to do SAML SSO to AWS.
AWS supports identity federation using SAML (Security Assertion Markup Language 2.0), an open standard used by many identity providers. This feature enables federated single sign-on (SSO), which lets users log into the AWS Management Console or make programmatic calls to AWS APIs. Using SAML can simplify the process of configuring federation with AWS, because you can use identity provider software instead of writing code.
AWS STS and IAM support following use cases:
Web-based single sign-on (WebSSO) to the AWS Management Console from your organization. Users can sign in to a portal in your organization, select an option to go to AWS, and be redirected to the console without having to provide additional sign-in information. For more information, see Giving AWS Console Access to Federated Users Using SAML.
Constant value: Role ARN and SAML Provider ARN that is stored in AD. Both ARNs are separated by a comma delimiter e.g., arn:aws:iam::625143326143:role/Admin,arn:aws:iam::625143326143:saml-provider/idp1
Create one more attribute RoleSessionName localAttribute: select attribute which has username (this is used to display at AWS) e.g., givenName Remote Attribute: RoleSessionName Remote nameSpace: https://aws.amazon.com/SAML/Attributes/