Recently I faced a new requirement to link or connect Google oidc external provider with aws cognito.
Background: my frontend application is running in aws and integrated with cognito for users and groups. Due to new requirements I have to connect client web application (jupyterhub) which is running on GCP vm instances.
My question is here : is this compatible or possible to use Google IAP with external oidc provider which could link to aws cognito app client and provide cognito UI to login?
Has someone faced such situation?
I would appreciate any comments or thought on this scanerio.
Many thanks
Adam
You can authenticate users with a wide range of identity providers such as OIDC and more by combining IAP and Identity Platform.
Identity Platform can be used to sign in users with an OpenID Connect (OIDC) provider.
Related
I have been trying to implement Auto-Provisioing on Azure Ad with AWS Cognito. The auto provisioning on the Azure is asking for a tenant url and I am using this for it. https://.auth.us-east-1.amazoncognito.com/saml2/idpresponse. But Azure says it cannot establish a connection due to invalid creds. Please confirm if the url I am using is correct and also if Azure auto provisioning is possible with AWS cognito?
It is possible with AWS Single Sign-on as it provides support for the System for Cross-domain Identity Management (SCIM). However, this is an additional step after setting up your Identity Provider.
AWS Cognito does support external Identity Providers for authentication, but can't see any support for SCIM. The SCIM endpoint is what is needed for the tenant URL. So, not I don't think Cognito supports auto provisioning... be great if it did though.
Using Auth0 as an example of what I want to achieve, it is possible to create an Auth0 application and configure a SAML trust relationship to a service provider by downloading Auth0's Identity Provider Metadata from a Auth0 SAML2 Web App and supplying that to the service provider, and also uploading the Service Provider metadata to Auth0. Supplying some other configuration options such as application callback URL to Auth0 then allows federation to be achieved into the test service provider via SP initiated SSO.
I would like to understand if it is possible to build such a relationship with AWS Cognito using either SAML or OIDC, where Cognito would be acting as the Identity Provider. There seems to be a lot of documentation available providing instructions on how to use SAML to create a relationship to a third-party identity provider for a user pool, but I'm struggling to find any documentation or options within the console to configure SSO to a test service provider, for example no reference to Cognito Identity Provider metadata. The assumption that I am making is that Cognito is a service only for authorisation with your own applications (such as user login) and does not support SSO into other services in the way that I describe, and that if you wanted to use Cognito as a Identity Provider then I would have to connect my user pools to a service such as Auth0 to then build out the SSO relationship. Am I correct in this assumption? and if not, please help me to understand where in the documentation/console I should be looking.
I'm also aware that AWS SSO exists and that I could potentially link a Cognito user pool to that, however the user pool will be made up of clients, and my assumption is that AWS SSO serves to specifically support (internal/affiliate) employee access to AWS services and resources, and should not be used as a way to enable SSO to another service for customers.
There is a mobile app that uses OpenID Connect for SSO. That mobile app is not built with AWS. Developers of that app are asking me to provide my own SSO service with OpenID Connect that they can use it for user authentication in that app.
My question is: Does the AWS Cognito right tool to built my own SSO service with OpenID Connect that will suit well for the case described above?
yes, it will. Other alternatives are Auth0, Microsoft Azure AD
I have a react application which uses Amplify to connect to AWS cognito userpool. I wanted to connect zendesk to this userpool using SAML, so that any user, logged into my react application should automatically get logged into zendesk.
I went through zendesk's documentation for SSO and it supports SAML based authentication. But on congito side, it doesn't support SAML as an Identity Provider.
Can somebody please help me understand the right way of connecting these two applications?
is there any possibility how to use Chrome(Google) identity to authenticate AWS API Gateway?
I know that AWS Cognito supports Google as external federated identity provider. However when creating OAuth client within Google Developers console for my Chrome App, only ClientID is generated. App secret is is available for web apps, mobile..., but not Chrome App.
Thank you for any advice.
Regards,
Robert