Amazon Cognito and External Identity Providers
Problem Statement
For one the eCommerce portals that we were working on, one of the key requirements was to have third party identity service providers like Google, Microsoft etc. integrated. The customer wanted it because they wanted current users of these identity providers to have a seamless experience while signing-up and signing-on to their eCommerce site. In addition, the customer wanted their own Active Directory system to be another identity provider when it comes to authentication.
Additionally, the customer also wanted all standard functionalities like reset password, forgot password, email verification etc. to be not redeveloped and utilize existing cloud services.
Since it was a B2C eCommerce portal, the customer wanted to make sure that scalability factor is taken care of – it may start small but may grow up to thousands and later millions of users. The authentication infrastructure must be scalable.
Solution
Amazon Cognito is a service that enables user sign-up, sign-in and access control to web and mobile applications. Amazon Cognito can scale up to millions of users and allows sign-in with social identity providers like Facebook, Microsoft, Google etc. Also, it supports enterprise identity providers by utilizing SAML 2.0 protocol.
Approach
When a user visits the eCommerce portal for the first time, following is what happens (assuming a user that has already signed-up):
- The web application through session management detects that the user is unauthenticated and redirects the user to Amazon Cognito and Amazon Cognito in turn sends a SAML request to the Identity Provider (IdP).
- The IdP authenticates the user and sends a SAML response back to Amazon Cognito. The SAML response includes common attributes and a multi-value attribute for group membership.
- Amazon Cognito handles the SAML response and maps the SAML attributes to a just-in-time user profile. The SAML groups attribute is mapped to a custom user pool attribute named custom:groups.
- Amazon Cognito returns a JWT (JSON Web Token) token to the web application.