Single Sign-On with AWS Cognito and AzureAD
What is Single Sign-On?
Single sign-on is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems. True single sign-on allows the user to log in once and access services without re-entering authentication factors.
I won’t go into the depth of use cases, pros and cons, and the importance of Single Sign-On.
Let’s see how we can implement it using AWS Cognito and OpenID (AzureAD)
What is AWS Cognito?
It’s a service that provides customer identity and access management. With Amazon Cognito, you can add user sign-up and sign-in features and control access to your web and mobile applications.
For more details, refer https://aws.amazon.com/cognito/
Prerequisite:
- Azure account — https://portal.azure.com/
- AWS Console account — https://aws.amazon.com/console/
Considering you have access to both accounts.
Now, let’s start.
- Login to AWS Console and search for Cognito
2. Select Cognito -> You’ll be able to see 2 options
Manage User Pools
Manage Identity Pools
We need to select Manage User Pools
3. Click on the “Create User Pool” button
4. Enter the “Pool Name”, I am giving DemoUserPool
5. Click on “Review defaults” and then click on the “Create Pool” button.
6. User Pool is created successfully.
7. Go to “App Integration” and click on “Add Domain”
8. Add the domain name or you can also provide a custom domain name if you want. Here, I am passing the “demo-user-pool” and clicking on “Save changes”
9. Go to “App clients” under “General settings”
10. Fill in the details as required and click on “Create App Client”
App Client Name — DemoUserApp
Check all the checkboxes to be true
11. Note the Client Id and Client Secret and store them in a safe place
12. Copy the Domain that we created and keep it with you
13. Now, Let’s go to Azure Portal and search for “Azure Active Directory”
14. Go to “App Registrations” under Manage and click on “New Registrations”
Fill in the required details. You can enter the application name as per your requirement.
For Supported account types, you can select based on your requirement. Here, I am selecting only Personal Microsoft accounts only
This means accounts with personal IDs will only be allowed to access the application.
In Redirect URI, select “Web” from the dropdown, and add Cognito domain URL in below format,
<CognitoDomainURL>/oauth2/idpresponse
15. Click on “Register”
16. Open “Endpoints” and copy the first URL (OAuth 2.0 authorization endpoint (v2))
17. Go to “Certificate & secrets” and click on “New client secret”. Enter the name and save the secret and client id on the creation and store them in a safe place.
18. Go to AWS Cognito again, and select the user pool that we’ve created. Then, go to the “Identity Providers” under “Federation” and select “OpenID Connect”
19. Fill in the details as shown below. Enter the client id and secret that we’ve saved from the Azure portal
20. In the “Issuer field”, paste the URL that we’ve copied from the Endpoints section in Azure Portal. The URL should look as below,
https://login.microsoftonline.com/consumers/oauth2/v2.0
Just paste till v2.0, and remove the rest of the stuff.
21. Click on “Run Discovery” and you should be able to receive a success message.
22. Go to “App client settings” and you should be able to see the AzureAD option
23. Check the AzureAD option as shown above. In the callback URL, enter the URL where you want the Cognito screen to appear. I am passing localhost for my local application
24. Click on “Launch Hosted UI” and you can see that AzureAD appears on the screen
25. On clicking on AzureAD, it’ll redirect to Microsoft Sign-In Screen
Once you fill in the credentials, based on correct authentication, it’ll redirect to the URL that you’ve provided in the callback URL.
So, we learned how to set up AWS Cognito with OpenID.
Thanks…