A workspace is a set of actors belonging to a company.

Each company can have one and only one Identity Provider and one or more accounts on one or more Service providers. 


A User is an Identity registered within the Identity Provider.

The User can assume one or more roles within the Service Providers through a federation that can be pre-existing or created and led by LookAuth.

Each User makes use of a Client to get programmatic access to Cloud resources.

The company administrator is the one who can choose which users will be allowed for programmatic access to the Service Providers.

Identity Provider

Identity Provider is a trusted system that authenticates users. 


The Federation is the system through which Identity Provider and one or more Service Provider(s) are linked.

It is a pre-authorized trust between the Identity Provider and Service Provider through which a user can be allowed to assume a Role on the account within the Service Provider.

The federation is internal to the workspace.

Trust Relationship

Trust Relationship is a system that allows you to link a Federated account to a Truster account within the same service provider. It consists of an implicit trust that allows a role in the federated account to assume a role in the truster account.

Cloud Service Provider

Is a company that delivers cloud computing-based services and solutions to businesses and/or individuals. (AWS, Azure, Alibaba, Google Cloud)


A role is an identity with permissions that determine what the User can or cannot do into an account. 

Federated Account

A Federated Account is an account in which there is a Federation between the Identity provider and the Account itself.

Trusted Account

A Trusted Account is an account a User has access to, through a Federated Account.

From one hand, the access is guaranteed by the Federation between the Identity Provider and the Federated Account, from the other, by a trust relationship between the Federated Account and the Truster account itself.

This means that a Truster Account Role can be assumed from the Federated Account role on behalf of the User. 


The session is the set of operations that the user performs over a period of time on a set of resources, after selecting the account and the role.

User-Role mapping

Describes the set of roles, within the accounts, to which the user has permission to access to.

In order for accounts to be accessed correctly, User-Role mapping must reflect the Federation and/or Trust configurations of Identity Providers and Service Providers.