I have a client that has an on-prem AD Server... I am developing an application running through API Gateway that will use a custom authorizer to authorize the endpoints. The on-prem AD server will be used to authenticate internal users, thinking about deploying an AD server in AWS for external users and using some sort of "link" between the two to connect them.
I want to query AD to authenticate the users and then get their IAM roles to allow access the API. Is this a good implementation?
If you are able to run AD FS and expose it to Cognito, I would suggest looking into using Cognito Federated Identity and setting the Method to require AWS_IAM authorization. Here is a link to the docs for AD FS:
https://aws.amazon.com/blogs/mobile/announcing-saml-support-for-amazon-cognito/
Alternatively, if you can't run AD FS and are running AWS Directory Service for Microsoft Active Directory for some other purpose, you could create a trust relationship to your on-prem AD through a direct connect / VPN. You could then create a service which took the AD credentials and authenticated the user via LDAP (lambda function configured to used with a VPC). Finally a custom authorizer could be created that validated the token for subsequent calls and return an appropriate IAM policy.
Related
I am trying to reduce the number of login a user needs to gain access to multiple application. I have aws ad set that provides me authentication to vpn and mail client. No i need a website that I can use ad creds to allow users to upload,dowload and list files in an s3 bucket. it seems like i can do this with cognito maybe but the aws ad doesn't seem to support SAML/ADFS that allows you to link cognito to aws ad. Is there something I am missing
I have two services, sitting in two separate regions on their own, that have the same authentification solution, with AWS Cognito and each of those instances has federated in their user pool, the same identity provider.
In front of the application, there is an API Gateway, that should grant access to the desired service.
The user could have the following scenario: goes to authenticate in region1, gets his token, and then the API Gateway from region1 will permit his access based on it. Can this token be used to access a service in region2?
Assuming Cognito is configured in region1, if you set the Cognito pool from region1 as authorizer for the API Gateway in region2, that should allow this API Gateway to authenticate users in Cognito. It also works cross-account.
Hopefully the docs help: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.html
Goal: Allow Firebase Auth users to access Amazon Connect without having to enter another username and password
What I've tried:
Amazon Connect's Identity Management can be done via 3 ways:
Store Users with Amazon Connect
Link to an Existing Directory
SAML 2.0-based authentication
1) Doesn't support SSO
2) I tried to create a Directory in AWS Directory Service, but given the options (AWS Managed Microsoft AD, Simple AD, AD Connector), none of them seem to be compatible with Firebase. I'm not sure if there is a way to sync Firebase Auth users into one of the above listed ADs.
3) SAML seemed promising, however, it appears that Firebase can use a SAML Provider, but cannot act as a SAML provider.
Is there any solution that will allow me to have Firebase Auth users SSO into an Amazon Connect instance?
If there is no direct solution, is there even an indirect solution where, for example, Cognito is my primary auth, which provides Connect access, and then I use Cognito as the SAML provider for my Firebase Auth
I have an on premp AD linked to AWS SSO using AD Connector.
AD Users have MFA enabled in AWS SSO.
There is a requirement of an application to retrieve short term token using user ID. Example Active Directory User ID 'A' has access to shutdown a EC2 instance. User ID 'A' logins in to the custom application, custom application retrieves the short term token and uses this token to shutdown the EC2 instance.
This application is build specifically for business users who are not comfortable using AWS Console, hence a very basic minimal easy to use UI.
I have read through a lot of AWS documentation and all the implementation I have checked online is for AWS SSO with SAML Federated with Azure AD etc but not with on premp AD.
How can STS be used with on premp AD SSO implementation?
This is confirmed. SSO with AD connector doesnt have STS implemented.
I am building web application based on microservice architecture. At this moment I am considering few ways of user authentication flow. I predict following, example user roles:
admin - is able to create content, upload files etc (admin account can be created only by another admin)
unauthorized user - can view content
authorized user - can comment content
Here is, how I was thinking about authentication flow so far:
authentication service - have access to DB with users credentials and permissions
api gateway - retrieve requests from user, check if user is logged in (ie verifies OAuth2 access token with auth service) and transfer flow to other services based on user request (attaching JWT token with some basic user info)
another service - accept only requests from api gateway, and trusts user data from JWT token (does not need to connect with auth service to get information about user).
After deploying some stuff on AWS infrastructure my way of thinking have changed a little bit. As far as I understand AWS products (Lambda - serverless applications and API gateway), I should implement authentication flow as follows:
authentication service - gets request from user, retrieve data from dynamoDB and provide user cookie with JWT signed by private key
any other service - retrieves request with JWT token, verifies signature using public key, and perform some action.
And now the question comes:
How deos AWS Cognito fits here? Is it something useful for me? As far as I understand, Cognito simplifies flow of authenticating users via 3rd parties (facebook, twitter etc. etc.). Does AWS Cognito serves login page, separated from my application, or it is only background/webservices impelementation?
So far I am thinking about Cognito as a replacement for my authentication service - any of my services, should impelemnt Cognito authentication flow provided by SDK from amazon, and my static website would implement JavaScript SDK for user login/register. Am I right?
First of all AWS Cognito consists of two services.
AWS Cognito UserPools (Which is the Identity Provider) - This is the service where you can create the users and manage their credentials with other policies. It can also provide the login screen where we can customize the logo and look and feel so that it can become a plug and play Login service. Then it is also possible to configure the authentication flow (For example to make the service as an OpenIDConnect authentication provider so that it will return a JWT token once user logs in). It is also possible to connect Social Identities (Facebook, Google & etc.) and SAML.
AWS Cognito Federated Identities (Identity Federation to grant users access AWS Services) - This service is capable of accepting AWS Cognito UserPool Token or direct access from other providers where we can federate the access to AWS resources. For example, AWS Cognito Federated Identities can grant temporal access to a User, Authenticated from another provider (e.g; AWS Cognito UserPools) to upload files to S3.
For more details refer the article The Difference Between AWS Cognito UserPools and Federated Identities?.
So coming back to your questions,
So far I am thinking about Cognito as a replacement for my
authentication service?
you can use AWS Cognito UserPools authentication service to issue JWT tokens and validate the token in AWS Lambda Custom Authorizer at your other service endpoints. This is also the place where you can do Authorization.
My static website would implement JavaScript SDK for user
login/register. Am I right?
Not necessarily. If you use AWS Cognito UserPools Hosted UI, you will get Login, Signup, Password Change, Confirmation pages, by default along with auto redirection for Federated Identities (Based on the configurations) such as Facebook, Google or Corporate Credentials like Office365. Although the customization is limited, you should be able to add your own logo and change the background color of these screens. If you plan to implement this by your self, then you can use AWS SDKs to implement these screens.
For more details on the serverless architecture refer Full Stack Serverless Web Apps with AWS.