I’m using AWS Cognito as User pool (for login) <> Auth0 as SAML-IDP (idp-initiated flow) (as Cognito does not support SAML IDP) <> and connecting to 3rd party SP.
I have a web-app which has login mechanism with AWS Cognito, and I’m trying to redirect logged-in customers to third-party URL (=SP, which requires log-in as well, SAML).
I have setup Auth0 to perform the SAML SSO, as Cognito does not support it and added OpenID Connect for authentication, to sync my existing users with Auth0 (AWS Cognito - see image below), which seems to work well (users are synced from my user-pool with Auth0/User Management/Users).
When i’m redirecting my logged in users, I redirect them to Auth0 Identity Provider Login URL (i.e: dev-APP.us.auth0.com/samlp/SOME_APP?connection=AWSCognito)
the problem i’m facing is that for the first time - user is required to log-in again (to cognito) although he was already logged in (see image below).
I was trying to follow up the requests made after redirection to Auth0 Provider Login URL and it seems that /authorize URL on cognito is the issue (https://XXXXX.auth.us-east-1.amazoncognito.com/oauth2/authorize)
Redirecting directly to AWS Cognito Domain with this URL won't work as well (to Hosted UI rather than to Auth0 URL): https://<yourDomainPrefix>.auth.<region>.amazoncognito.com/login?response_type=token&client_id=<yourClientId>&redirect_uri=<redirectUrl> where the redirectURI is URLEncoded
Is there any way to skip that second login (first in my web-app and second is the Cognito hosted UI)?
thanks!
I have an existing suite of postman tests that previously ran against REST services hosted in Azure using Azure AD for Auth. Using the token endpoint (https://login.microsoftonline.com/{{tenantId}}/oauth2/token), I was able to obtain an Oauth token for an enterprise app (test app) that had deligate permissions for the application under test.
The apps have been moved to AWS and are now secured with Cognito. I have been unable to find an equivalent workflow that allows me to obtain a token without manual data being entered by the user.
The login endpoint requires me to manually enter the user name and password:
How do i integrate amazon cognito login in postman
and
I can setup an app and get an acceess token it does not give me permissions to the APIs, as I can not add the app to the user group with permissions.
https://lobster1234.github.io/2018/05/31/server-to-server-auth-with-amazon-cognito/
I have a web app which already uses AWS Cognito to authenticate my users. These users have been granted role-based access to the Kibana URL of my AWS ElasticSearch cluster. But when I provided an embedded kibana dashboard iframe into my user's session, it doesn't work. I think I need to pass the Cognito session information along with the iframe. Is there a way to pass the Cognito session information along with the iframe? The embedded dashboard starts working when I login to Kibana in a separate browser tab, which leads me to believe this is an authentication issue. Any pointers will be of great help! Thanks.
AWS cognito doc says Developers must add Amazon Cognito User Pool domain URL https://your-user-pool-domain/oauth2/idpresponse in the Google app's Authorized redirect URIs.
Is it possible to modify the redirect url provided by cognito when signing -in with google so that call back directly come to application instead of aws-cognito.
For example: I can add a valid redirect url as "https://myapp/callback/" in google app. When signing-in with google using aws cognito hosted page - aws coginto supply the redirect url as "https://myapp/callback/" instead of https://your-user-pool-domain/oauth2/idpresponse
No, you have to use the Amazon Cognito User Pool domain URL. That's the only supported method if you are using Cognito. Otherwise Cognito wouldn't know anything about your external identity.
I would like to create my own HTML page to allow users to login using the IAM credentials. I could not find any reference how to do it without getting the credential token first. I would like to host this on an AWS S3 bucket.
A combination of Javascript web app and using Javascript SDK for AWS cognito could work to serve your purposes.
Example of creating a page using Javascript to log in users with Facebook login and access an S3 bucket.
http://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/getting-started-browser.html
https://aws.amazon.com/developers/getting-started/browser/
Using Cognito
Amazon Cognito lets you easily add user sign-up and sign-in to your mobile and web apps. With Amazon Cognito, you also have the options to authenticate users through social identity providers such as Facebook, Twitter, or Amazon, with SAML identity solutions, or by using your own identity system. In addition, Amazon Cognito enables you to save data locally on users devices, allowing your applications to work even when the devices are offline. You can then synchronize data across users devices so that their app experience remains consistent regardless of the device they use.
https://aws.amazon.com/cognito/
AWS S3 documentation clearly explains, it's not possible.
You can host a static website on Amazon S3. On a static website,
individual web pages include static content. They may also contain
client-side scripts. By contrast, a dynamic website relies on
server-side processing, including server-side scripts such as PHP,
JSP, or ASP.NET. Amazon S3 does not support server-side scripting.
If you mean, you would like to grant access to HTML content for only certain users without their IAM, you could explore S3 pre-signed object URL option.
IAM username/password credentials are only for use with the AWS console.
There is no exposed API that you can use to validate IAM credentials.
Q: Is there an authentication API to verify IAM user sign-ins?
No. There is no programmatic way to verify user sign-ins.
https://aws.amazon.com/iam/faqs/