What is ADFS and where would you set it up?

ADFS stands for Active Directory Federation Services. ADFS is an identity broker which provides single sign-on functionality for your enterprise users to access AWS resources via AWS Console, without the need to duplicate the user accounts to IAM. In order to sign in, a user sends a request to on-premises ADFS, which authenticates the user from on-premises AD and returns a SAML token to the user. The user’s web browser then forwards this SAML token to AWS Sign-In, which verifies that the token originates from a trusted ADFS service, then fetches the desired identity from IAM, and provides the user access to AWS Console under this identity.