Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
images
README.md

README.md

AWS Cognito Authenticator

The AWS Cognito Authenticator allows users to log in to your organization's applications using AWS Cognito, which is a distributed version control and source code management service. The AWS Cognito authenticator is configured as a federated authenticator in WSO2 Identity Server 5.7.0 and above. The AWS Cognito Authenticator also supports federated single logout with the AWS Cognito.

Let's explore the following topics to learn how to configure the AWS Cognito authenticator and WSO2 Identity Server.

Compatibility

Version Supported WSO2 IS versions
1.0.0 above 5.7.0

Deploying AWS Cognito authenticator artifacts

You can either download the AWS Cognito authenticator artifacts or build the authenticator from the source code.

  1. To download the AWS Cognito artifacts:

    1. Stop WSO2 Identity Server if it is already running.
    2. Visit the Connector Store and download the artifacts.
    3. Copy the org.wso2.carbon.identity.application.authenticator.cognito-x.x.x.jar file into the <IS-Home>/repository/components/dropins directory.
  2. To build from the source code:

    1. Stop WSO2 Identity Server if it is already running.
    2. To build the authenticator, navigate to the identity-outbound-auth-cognito directory and execute the following command in a command prompt.
      mvn clean install
      
      Note that the org.wso2.carbon.identity.application.authenticator.cognito-x.x.x.jar file is created in the identity-outbound-auth-cognito/component/target directory.
    3. Copy the org.wso2.carbon.identity.application.authenticator.cognito-x.x.x.jar file into the <IS-Home>/repository/components/dropins directory.
  • Add the following configuration in IS_HOME/repository/conf/identity/application-authentication.xml

      <AuthenticatorConfig name="CognitoOIDCAuthenticator" enabled="true">
          <Parameter name="ClaimDialectUri">http://wso2.org/oidc/claim</Parameter>
          <Parameter name="CognitoAuthzEndpoint">/oauth2/authorize</Parameter>
          <Parameter name="CognitoTokenEndpoint">/oauth2/token</Parameter>
          <Parameter name="CognitoUserInfoEndpoint">/oauth2/userInfo</Parameter>
          <Parameter name="CognitoLogoutEndpoint">/logout</Parameter>
      </AuthenticatorConfig>
    

Note : These configurations are hardcoded in the Authenticator. If the configurations are not present these will taken as default

Configuring the AWS Cognito user pool

Follow the steps below to configure an user pool in AWS Cognito.

  1. Sign in to AWS Console.
  2. Search for Amazon Cognito and click on it service. Amazon Cognito Service
  3. Click on 'Manage User Pools' and then create a User Pool Create User Pool Provide a 'Pool name' and 'Review Default'. Then review the setting and click on 'Create'. After that the user pool will be created
  4. In the General setting, click on App clients. User Pool Create App Clients
  5. Click 'App client' and provide 'App client name'. Then click on 'Create app client' User Pool App Clients
  6. The App client details will be prompted. Take a note of the 'App client id' and 'App client secret' User Pool App Clients
  7. In the App client setting of the App integration of the user pool provide the following
    • Enabled Identity Providers : Cognito User Pool
    • Callback URL(s) : https://<is_host>:<is_port>/commonauth
    • Sign out URL(s) : https://<is_host>:<is_port>/commonauth?state=logout
    • Allowed OAuth Flows : Authorization code grant
    • Allowed OAuth Scopes : openid

Note : It is mandatory to have the state=logout added as the query parameter of the sign out url

App Client Setting 8. Set up the Domain name for the User Pool. You can specify 'Amazon Cognito domain' or use your own domain App Domain Name 9. In 'Users and Groups' create user.

Configuring the identity provider

An identity provider (IdP) is responsible for authenticating users and issuing identification information by using security tokens like SAML 2.0, OpenID Connect, OAuth 2.0 and WS-Trust.

Follow the steps below to configure WSO2 Identity Server as an IdP that uses AWS Cognito for federated authentication.

Before you begin

  1. Download WSO2 Identity Server.
  2. Run WSO2 Identity Server.
  1. Access the WSO2 Identity Server Management Console as an administrator.

  2. Navigate to Main > Identity > Identity Providers and click Add. Identity Provider

  3. Enter a suitable name for the identity provider in the Identity Provider Name text box.

  4. Under Federated Authenticators, click AWS Cognito Configuration and enter the required values as given below.

    Field Description Sample Value
    Enable Selecting this option enables AWS Cognito to be used as an authenticator for users provisioned to WSO2 Identity Server. Selected
    Default Selecting this option signifies that AWS Cognito is used as the main/default form of authentication. Selecting this removes the selection made for any other Default checkboxes for other authenticators. Selected
    Client Id This is the client key of your AWS Cognito user pool. 1uttd7h38ccaelctoklpdid60b
    Client Secret This is the client secret of your AWS Cognito user pool. 12cicbu0uc1i72krvtcqvq1n6hk6qbtib6i1i376hfcmm2t9cljq
    Callback URL This is the service provider's URL to which authorization codes are sent upon successful authentication, the browser should be redirected to this URL. This should be same as the value specified in the User pool App client setting https://www.wso2is.com:9443/commonauth
    User Pool Domain This is the User Pool Domain of your AWS Cognito user pool. https://wso2iscognito.auth.us-east-1.amazoncognito.com
    Logout Redirect URL This is the service provider's URL to which the log out response are sent updon the logout response from AWS Cognito, the browser should be redirected to this URL. This should be same as the value specified in the User pool App client setting. It is mandatory to have the state=logout added as the query parameter https://www.wso2is.com:9443/commonauth?state=logout

    Configure Identity Provider

  5. Click Register.

You have successfully added the identity provider. Next, you will configure the service provider.

Configuring the service provider

  • In the 'Local & Outbound Authentication Configuration' of the service provider add the created identity provider as federated authenticator
You can’t perform that action at this time.