Skip to content

craigar-amazon/fedlab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
README.md
README.md
 
 

Repository files navigation

Setup

Create Azure Free Account

Follow manufacturer's instructions :)

Populate Default Domain

Record your domain name as $AZD and the sub-domain component as $AZDSUB

Key Sample
$AZD craigaroachicloud.onmicrosoft.com
$AZDSUB craigaroachicloud

Add User

  • Name: Alice Armstrong
  • User name: alice@$AZD
  • Profile: arbitrary
  • Directory role: User

Record user name as $ALICEID alice@craigaroachicloud.onmicrosoft.com

Record user's generated password as $ALICEPWD

Note Password will changed on first login.

Add Group

  • Group Type: Security
  • Group Name: OperationsManagers
  • Group Description: arbitrary
  • Membership type: Assigned

Add User to Group

Select the Group OperationsManagers

Add members

  • Alice Armstrong

Create Cognito User Pool

Navigate to Cognito in Console, then Create Pool

Enter your chosen pool name and record as $CUP $CUP=BlueCup

  • Sign in: Username
  • Required attributes: email
  • Custom attributes: skip
  • Password Strength: your choice
  • Allow user sign-up: true
  • MFA: off
  • Verification: email
  • Message customizations: skip
  • Remember your user's devices
  • App Clients: skip for now
  • Custom workflows: skip

Save your user pool.

Record your Pool Id and ARN as $CUPID and $CUPARN

Key Sample
$CUPID ap-southeast-2_0ShBpWf3u
$CUPARN arn:aws:cognito-idp:ap-southeast-2:167635472246:userpool/ap-southeast-2_0ShBpWf3u

Configure App Integration for Cognito User Pool

Select your Cognito User Pool called $CUP

Navigate App Integration | Domain name

Determine a domain name prefix for your user pool. It will need to be unique within your selected AWS region. A concatenation of $AZDSUB and $CUP is a good choice. You can click Check Availability button.

Enter your chose domain prefix and record as $CUPDP

Sample $CUPDP
craigaroachicloud-bluecup

Save Changes

Record your fully qualified Cognito user pool domain name $CUPFQDN

Sample $CUPFQDN
https://craigaroachicloud-bluecup.auth.ap-southeast-2.amazoncognito.com

Construct your SAML endpoint using this domain name. After authenticating a user, AAD will respond with a HTTP Redirect to this endpoint using the SAML POST binding method. This method encodes the SAML Assertion as HTML FORM data, which the user's browser POSTs to the endpoint. To construct the endpoint URL, append /saml2/idpresponse. Record the endpoint URL as $CUPSAML

$CUPSAML = $CUPFQDN + /saml2/idpresponse

Sample $CUPSAML
https://craigaroachicloud-bluecup.auth.ap-southeast-2.amazoncognito.com/saml2/idpresponse

Construct your SAML Service Provider (SP) Entity ID - also known as the Audience URI - by prefixing your Pool Id with urn:amazon:cognito:sp:. Record the Entity ID as $CUPSPENTITY

$CUPSPENTITY = urn:amazon:cognito:sp: + $CUPID

Sample $CUPSPENTITY
urn:amazon:cognito:sp:ap-southeast-2_0ShBpWf3u

Navigate to Cognito | $CUP | General Settings | App Clients

Field Value
App client name TeamCalendar
Generate client secret true
Create app client

Record App client id as $CUPCID

Key Sample
$CUPCID 2n6pup059ng2scg8n1crb1v5j6
$CUPCSECRET kb5a9vmn2ua7qu70jghgv5m3bsopqheaeaumsadgmpbthc8sf6s

https://craigaroachicloud-bluecup.auth.ap-southeast-2.amazoncognito.com/login?response_type=code&client_id=2n6pup059ng2scg8n1crb1v5j6&redirect_uri=https://localhost

Add Application to AAD

Navigate to AAD | Default Directory | Manage | Enterprise Applications

Select New Application, then Select Non-gallery application

  • Name: TeamCalendar

Add

Select Manage | Single sign-on, then Select SAML

Navigate to Basic SAML Configuration, then Select Edit

Attribute Value Sample
Identifier (Entity ID) $CUPSPENTITY urn:amazon:cognito:sp:ap-southeast-2_0ShBpWf3u
Reply URL (ACS URL) $CUPSAML https://craigaroachicloud-bluecup.auth.ap-southeast-2.amazoncognito.com/saml2/idpresponse

Save

Navigate to User Attributes & Claims, then Select Edit

Click on Claim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Change Source Attribute from user.mail to user.userprincipalname

Navigate to SAML Signing Certificate, then Record App Federation Metadata URL as $AZDFM

Sample $AZDFM
https://login.microsoftonline.com/23033791-d560-4912-8b87-c6e361fa3e17/federationmetadata/2007-06/federationmetadata.xml?appid=9be99ae6-3547-4ba7-b65d-7e0e9c1b4365
Optionally, Download the Federation Metadata XML

View Metadata document URL in browser, or downloaded XML

Navigate to TeamCalendar | Manage | Users and groups

Select Add User

Find Alice Armstrong, then Select

Select then Assign

Confirm Alice Armstrong has been assigned to TeamCalendar

Logout of AAD

Add AAD a Federated Identity Provider for Cognito User Pool

Navigate to Cognito | $CUP | Federation | Identity Providers

Select SAML

Navigate to Metadata Document

Either Enter $AZDFM OR Upload Federation Metadata XML

Enter Provider name AAD

Create Provider_

Configure Cognito App Client for ALB

Navigate to Cognito | $CUP | App Integration | App Client Settings

Navigate to $CUPCID

Field Value Sample
Enabled Identity Providers AAD -
Callback URL $ALBURL + /oauth2/idpresponse https://www2.craigroachnz.net/oauth2/idpresponse
OAuth2 - Allowed Flows Authorization Code Grant -
OAuth2 - Allowed Scopes email, openid -

Create Elastic Beanstalk Application

Create sample application without ALB

Create ALB

About

Cognito Federaion

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages