If your account users already have a way to be authenticated such as authentication through your corporate network
You can federate those user identities into AWS
A user who has already logged into the corporate using their Corporate ID
The Corporate can replace its existing identity with a temporary identity in your AWS account.
This user can work in the AWS management console.
Similarly, an application that the user is working with, can make programmatic requests using permissions that you define.
Federation is particularly useful in below cases:-
1. Your users already have identities in a corporate directory.
If your corporate directory is compatible with Security Assertion Markup Language (SAML) (2.0)
You can configure your corporate directory to provide Single Sign-on (SSO) access to the AWS management console for your users.
If your corporate directory is not compatible with SAML(2.0)
You can create an Identity Broker application to provide SSO access to the AWS management console for your users.
If your Corporate directory is Microsoft Active Directory, you can use AWS Directory Service to establish trust between your corporate directory and your AWS account.
2. Your Users already have Internet Identities:-
If you are creating a mobile app or Web-Based app that can let users identify themselves through an Internet Identities Provider like login with Amazon, Facebook, Google, or any Open ID Connect (OIDC) compatibility identity provider, the app can use web federation to access AWS.
AWS recommends using AWS Cognito for Identity Federation.
IAM users in your account have access only to the AWS resources that you specify in the policy that is attached to the user or to an IAM group that the user belongs to.
To Work in the Console users must have permission to perform the actions that the Console performs, such as listing and creating AWS resources.