Identity federation with multiple AWS accounts

How should we design user access to multiple AWS accounts? As organizations scale, they tend to centralize identity with SSO SAML federation, but there are two patterns for federation with AWS.

Hub-and-spoke: users assume federated roles into a single AWS “identity account” and perform a second role assumption into sub-accounts

Direct: users assume federated roles into AWS sub-accounts directly

Hub-and-spoke vs. direct federation for AWS accounts