I am using Cognito User Pool to integrate an external Identity Provider via SAML. I have two Idp's I am trying to setup. One is Azure AD, which is all set up and working fine. Another one is SecureAuth which is giving problems.
I am trying to find if Cognito logs anything. I looked in CloudWatch and CloudTrail. I dont see any logs related to his in both places. Where does Cognito log these errors? Do I need setup something for this to work?
Related
I'm trying to understand the relationship between Cognito user pools, and external identity providers via SAML.
What I have at the moment
I have ReactJS application which uses the Amplify library, backed by AWS Cognito. The application is multi-tenanted, and users from different tenants belong in the same user pool. They are separated by their group, and a custom attribute. I use CloudFormation and serverless framework to deploy my stack.
Currently, I have custom login forms, which communicate with the Amplify library to log in the user.
The goal
In addition to giving clients the option to make their own accounts on my platform, I want to provide an option to authenticate via SAML from an external identity provider. The goal is to allow each client to log the web-application using their own Single Sign On.
My prior research
I've seen AWS's example on how to actually deploy a user pool supporting SAML.
I've read Azure's guide on integrating with Cognito.
I have an understanding of the SAML authentication flow.
The question
Is it possible to attach each of these external identity providers to the same user pool, or will I have to deploy a new user pool for each new client I want to onboard?
Thank you very much
Yes, it is possible to add multiple external IDPs to a user pool.
But, there is upper limit of 1000 Identity providers per user pool. So you can add up to 1000 customers. And if you are go with user pool per customer, then there is limit of 10 000 user pools per AWS account.
So we can consider those limits when you are choosing an option.
One other option is to support login with IDPs like Google, Microsoft and etc. So companies(customers) who use them as their IDPs, can rely on that, without specifically configuring SSO. (You can group the users based on the domain).
I am creating a web app using AWS amplify, and one of its features will be integration with AWS IoT for live MQTT data. I successfully setup Cognito to work with IoT, but there is one step that I currently have to do manually: attach the iot policy to a cognito identity. In all the AWS tutorials on this, they have you manually attach the policy for the user via the command line, but obviously in a production app this needs to be automated with something like a Lambda as part of the user signup flow. I know that lambda triggers are available with the user pools side of Cognito, but I don't see any documentation on them being available for identity pools. If I'm correct the user signup happens first in the user pool and then the identity pool, and since I need the identity ID to link to IoT, using user pool lambda triggers won't work for this. Of course I could always add this to my own API which is called after sign up, the only issue with that is that it relies on the client to call the API, which adds complexity, i.e. the client could disconnect after signup but before the API call is made, in which case the user would never get the policy attached. Is there any better server-side way to trigger this?
I have an app and openid identity server. My app retrieves tokens from the Identity server.
I have also configured the identity server as an external provider for an AWS Cognito Identity Pool.
I can successfully retrieve AWS credentials for the User logged into my app.
However, I find the AWS credentials limited as the token does not contain any of the claims from the original login token. Is there any way to get them in there?
One the claims I use is clientID and I was hoping to be able to use that in a an IAM Policy to restrict S3 access by client.
I haven't found direct solution for that, and it seems like missing feature.
The workaround I did was:
Mapping id_token/access_token/refresh_token to custom cognito attributes. As all mapped attributes are later available in your frontend, you need to restrict read permissions for sensitive attributes.
Use TokenGeneration_HostedAuth lambda trigger to work on this data.
I am attempting to allow a third party app (Google Home) to access information from a AWS Cognito User Pool.
The flow of the entire process is as follows (assuming I understand it correctly that is):
The user tries to link their devices (which are all managed inside various AWS services) to Google Home.
The user is then redirected to our oauth2 page where they log into their account in the cognito user pool
They succesfully log in and are provided with an oauth token
The Google Home app can then use that token to send requests to our back end, allowing them to control their devices, but not the devices belonging to other users.
I am not exactly sure how to setup the cognito user pool as an oauth2 provider. I can find lots of info going the other way (for instance using Google to sign into our AWS user pool using federated identities) but that doesn't solve our problem.
Any help or direction would be greatly appreciated.
Thanks in advance
Amazon Cognito now supports OAuth 2.0. Login to the Amazon Cognito Console and follow these steps for an existing user pool:
Create a domain in the "App Integration" section.
In the same navigation go to "App Client Settings" and enable the providers you want enabled on the client, in your case Cognito. Also add the allowed callback and logout URIs as well as the allowed OAuth flows and scopes.
Now your authorize endpoint is https://.auth..amazoncognito.com/authorize?client_id=&redirect_uri=&response_type= and same way you can find the token endpoint.
More details...
I am trying to authenticate users via AWS Cognito/IAM services from my webapp. I have implemented Facebook and LinkedIn login and I'm wondering how I could use AWS to implement username+password login via my UI. Is there a way for me to set it up so that all I have to do is drop in button for username+password login on my view and that will authenticate users and redirect back to my backend service (similar to Facebook/LinkedIn) and where I can put in an endpoint URL?
Do let me know If I need to be clearer.
Edit1: I have already tried using Developer Authenticated Workflow (enhanced workflow). I don't want to do the part where I create the User in my user pool by calling the AWS Cognito Identity API. I'd like AWS to do the user creation by itself. is this possible?
Edit2: Another alternative solution is to create a Lambda which does what I want. But this is similar to the code to do that (which is on my backend).
At the moment there is no complete solution for this. You have to either use newly introduced AWS Cognito User Pools or create your own one. I would also recommend to checkout the project https://github.com/danilop/LambdAuth which worth trying.
You can create AWS Cognito user pools and create the roles for authenticated and unauthenticated users and assign some policies for both roles. Once you have created the user pool you will necessary code to use in your web or mobile application. Refer How to setup Cognito user pools.