[dhess]

Prior to AWS SSO and Control Tower, we followed best practices and used an "identity hub" account in our organization, tied to our IdP via SAML. Users authenticated via SAML into their identity hub role, and that role could then `sts:AssumeRole` to any other roles they needed to do their work.

We've since adopted AWS SSO and Control Tower, and to address the problems with it that you mention, we configure the SSO permission set so that the only thing the user can do is assume their identity hub role. Because you can chain `AssumeRole`, it's an extra indirection, but everything works just like it did before.

So while I agree that AWS SSO is not the right place to configure fine-grained permissions, I think that overall I prefer the benefits of Control Tower and the relatively easy SAML integration provided by AWS SSO over the previous bespoke SAML configuration we used. It's a bit inconvenient to set up the extra hoop to jump through to go from SSO permission set to identity hub IAM Role, but that's a one-time cost and is trivial to maintain.