I have implemented SSO for my application. I am using AWS Cognito as Service Provider and Azure AD as Identity Provider. IdP is configured through SAML in Cognito. Below is the URL generated
https://<my_custom_domain>.auth.us-east-1.amazoncognito.com/oauth2/authorize?identity_provider=<IdP_Name>&redirect_uri=<Callback_url_passed_in_Cognito>&response_type=TOKEN&client_id=<Client_Id>&scope=aws.cognito.signin.user.admin%20email%20openid%20profile&state=transit
In my application, when a user tries to log in initially with their MS 365 account it asks for user credentials.
But after logout from the app, if the user attempts to log in again with a different account, it is not asking the user to enter credentials or pick up an existing account. It directly makes the app login for the previous account.
Note: If in my browser there are multiple MS 365 accounts signed-in then only my app asks for which account to use. If there is a single MS 365 account present then my app uses that one without asking the user to Sign-in with a different account.
Since you have specifically mentioned SAML for Cognito and Azure AD integration, this answer is based on that.
When SAML service provider (SP) initate a SAML auth request with Azure AD, it can specify ForceAuthn param as true. With that Azure AD should always prompt user to authenticate. Please refer this document. So that is supported in Azure AD.
But as far as I know, Cognito doesn't support to include that parameter in the SAML AuthnRequest. Same concern has raised in this question as well.
Even though I haven't tried, I think you should be able to use Sign-out flow in Cognito SAML configuration along with Azure AD single sign-out. So I believe it should sign out the user from Microsoft and should prompt for the credentials when user try to sign in again.
I tried to reproduce the same in my environment and got the below results:
Note that:
SSO allows users to authenticate once and access applications without re-entering credentials.
Single Sign-On allows users log in only once to access application without having to enter the login information each time.
Hence, if there is only a single MS 365 account present then it doesn't ask user to pick an account.
For sample, I configured SSO and tried to access below endpoint:
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?
&client_id=XXXX
&response_type=code
&redirect_uri=redirecturi
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
The browser prompted to Pick an account when there were multiple accounts only like below:
Alternatively, you can make use of prompt=login in the authorize endpoint and enter the credentials to access the application. The prompt will be appear like below:
Otherwise, to ensure the Pick an account screen try creating a conditional policy which requires multi-factor MFA) or device compliance when user try to access the Application.
Reference:
Single sign-on - Microsoft Entra | Microsoft Learn
Related
I'm trying to configure my AWS cognito User pool for federated sign-in for microsoft users. I've followed this article.
https://aws.amazon.com/blogs/security/how-to-set-up-amazon-cognito-for-federated-authentication-using-azure-ad/
This authentication flow is working only for the users who are associated with specific enterprise application created inside Azure AD. I have multiple clients who are having their own Azure AD instances for maintaining their users and handling authentication. I need to onboard those users in my application using federated sign-in. Hence I'm trying to give a generic button to end users to Login with Microsoft. Can someone please suggest the direction?
I'm working on setting up Google as an IdP for my Cognito User Pool. I'm following this AWS guide.
Even though I'm only selecting "non-sensitive scopes" (opened, profile, email) when configuring the OAuth app, Google is then saying that it requires verification.
The AWS guide linked above says:
For Authorized domains, enter amazoncognito.com.
I've entered this as an authorized domain, but since I've done that, Google is now saying that in order to verify the app, I need to "verify ownership of the following domain" (amazoncognito.com). Clearly, I cannot do this, as I do not own that domain.
Am I missing something here? It seems that AWS and Google have set this up in a way that makes it impossible to verify a Google OAuth app for use with Cognito.
I am attempting to allow a third party app (Google Home) to access information from a AWS Cognito User Pool.
The flow of the entire process is as follows (assuming I understand it correctly that is):
The user tries to link their devices (which are all managed inside various AWS services) to Google Home.
The user is then redirected to our oauth2 page where they log into their account in the cognito user pool
They succesfully log in and are provided with an oauth token
The Google Home app can then use that token to send requests to our back end, allowing them to control their devices, but not the devices belonging to other users.
I am not exactly sure how to setup the cognito user pool as an oauth2 provider. I can find lots of info going the other way (for instance using Google to sign into our AWS user pool using federated identities) but that doesn't solve our problem.
Any help or direction would be greatly appreciated.
Thanks in advance
Amazon Cognito now supports OAuth 2.0. Login to the Amazon Cognito Console and follow these steps for an existing user pool:
Create a domain in the "App Integration" section.
In the same navigation go to "App Client Settings" and enable the providers you want enabled on the client, in your case Cognito. Also add the allowed callback and logout URIs as well as the allowed OAuth flows and scopes.
Now your authorize endpoint is https://.auth..amazoncognito.com/authorize?client_id=&redirect_uri=&response_type= and same way you can find the token endpoint.
More details...
I want to integrate a pretty standard functionality: give option to user (mobile and web) to either login with email/password or with facebook (google) account with RBAC (different users may have different roles, like users, moderators, admins, creators, etc). Here is basically what I want from sign in:
I went through a number of AWS tutorials and other materials. I got some grasp on how to implement it, but I still don't have a full picture. Hope someone can help me here.
Here is my current understanding (please correct me where I'm wrong).
1) For the email/password signup/signin I use a User Pool. When user signs-in I call authenticateUser (I'm using JS SDK):
cognitoUser.authenticateUser(authenticationDetails, {
..
})
where onSuccess
I store identity, access and refresh tokens, so, user
doesn't have to enter his credentials every time
Because users will be accessing AWS servicess (e.g. S3) I exchange idToken to AWS credentials
Store AWS creds in LocalStore for further use, when access resources
2) For the facebook sign-in I use Federated Identity
get a facebook access token
with fb token get a cognito identity
exchange a cognito identity to AWS creds and store those in LocalStore
Questions:
Q1. Is it valid and fairly complete logic for sign-up/sign-in? Did I miss anything?
Q2. How should I store facebook users? Can I do it in User Pools? I have impression that it's not possible, but that means I have 2 different user directories: one in UserPool and another one in another place (lets say in DynamoDB)
Q3. If I have to store users in different places (UserPool and DynamoDB) that means I have 2 users for essentially one user, who first registered with email/password and then decided to use facebook - this is inconvenience for both me as app admin and user. How to deal with this situation?
Q4. How to manage groups for users, who signed-in with facebook token (like users, moderators, admins, creators, etc)?
Q5. How should I restrict access to resources other than AWS for facebook signed-in users?
Q6. Any working example for this?
Thanks!
We added support for Federation through Facebook, Google and LoginWithAmazon for User Pools. This will create a user in user pool when a user logs in with federation. You can also capture the attributes from the identity provider using the attribute mapping feature.
Also if you use the app integration feature, Amazon Cognito User Pools wil generate a sign-in page like this for you.
Steps to SignIn/SignUp with a social provider through Amazon Cognito Console:
Configure a domain for your user pool like .auth..amazoncognito.com
Add any social provider and configure attribute mapping.
Enable the provider on the App Client.
Configure the callback URI, OAuth response type and allowed scopes.
Access your hosted UI at https://.auth..amazoncognito.com/login?client_id=&response_type=&redirect_uri=
Click on the button to SignUp/SignIn with Facebook (or your provider).
Authenticate with the provider, you will be redirected to the callback URI with tokens/code.
Check the newly created user in Amazon Cognito console.
I'm human and may have missed something, but that sounds pretty good to me.
You can't store a federated identities login in user pools. Thing of user pools as another identity provider, just like Facebook is. Dynamo (or something else) would be the way to go.
If a user logged in with both, linking those logins, you might want to consider avoiding user pools attributes entirely and only using dynamo. With two logins linked, Cognito federated identities only requires one login token to proceed, but user pools requires it's login token to see/update attributes. The user would have to login with the user pool to touch those attributes, it'd get messy.
I don't know that this is supported out of the box, like it is with user pools. You might have to do this using your hypothetical user database described above.
You can also link your user pool to Cognito as a provider, much like you do for Facebook. That's how you exchange an id token for credentials.
No official example from the service, though I can't speak for others.
In my web application, I want to allow users to log in using 2 possible providers (Facebook, Google) and retrieve credentials using AWS Cognito.
From what I understand, if a user (john#domain.com) logs in using his Facebook account, the Cognito IdentityId will not be the same as if he had logged in using his Google account.
Assuming that the user uses the same email address (john#domain.com) to log in for both his Facebook and Google accounts, how can I make sure that that user has a single, unique IdentityId in Cognito?
I would not want the user to have 2 different IdentityId's. It would be nice if I could associate john#domain.com to a single IdentityId.
Cognito doesn't know about the email with which an account was registered. If the same user authenticates on two different devices using facebook on one and google on the other, it will give two different ids.
However, it can be told that they're linked. If that same user were to log in to facebook on one device, they'd get identity A. If they were to then link identity A to their google account by including the login token for both when communicating with Cognito, then Cognito would know they're associated, and any future authentication with one of the two providers would give the same id.
That deviates a bit if both Facebook and Google had already been linked to an id before Cognito was told to link them - in that case, the id that is used could be either of the two.