Feature Proposal: Support for Direct Federation

[nhawkins04]

This toolset works great to create roles for a hub-and-spoke method with a central identity account! It would be nice to also have support for roles where each account has direct federation. Right now if I try to do this, I get an error if a parent_account is not specified.

It would be nice if we could declare the configuration like this and it would have the role in each account have a trust relationship to a SAML provider configured in the same account:

accounts:
  account1:
    id: 000000000000
    saml_provider: OktaIDP
  account2:
    id: 000000000000
    saml_provider: OktaIDP
roles:
  ReadOnly:
    trusts:
      - OktaIDP
    managed_policies:
      - arn:aws:iam::aws:policy/ReadOnlyAccess
    in_accounts:
      - all

I am basing this on some of the new ways we can integrate Okta without the central identity account design: https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Amazon-Web-Service#scenarioB

[nhawkins04]

I have issued PR #15 that incorporates some changes to support this feature. This is working for my immediate needs but figured others might benefit from this functionality. I am very new to Python and I welcome feedback!