How do I set up my Application Load Balancer to authenticate users through an Amazon Cognito user pool in another AWS account?

Lesedauer: 6 Minute
0

I want to use Amazon Cognito authentication on my Application Load Balancer, but my user pool is in another AWS account. So, I want to use a cross-account user pool for authentication.

Short description

Only Amazon Cognito user pools in the same account are supported by default when you configure an Application Load Balancer for user authentication. However, as a workaround, set up your cross-account user pool as an OpenID Connect (OIDC) identity provider (IdP).

Follow these instructions to configure your Application Load Balancer in one account ("account B") for authentication through a user pool in another account ("account A").

Resolution

Create an Application Load Balancer

If you haven't done so already, in account B create an Application Load Balancer with an HTTPS listener.
Note: The authenticate-cognito and authenticate-oidc rule action types are supported only with HTTPS listeners.

Get the DNS name of your Application Load Balancer in account B

  1. In account B, open the Load Balancers page of the Amazon Elastic Compute Cloud (Amazon EC2) console.
  2. Select your Application Load Balancer.
  3. On the Description tab, copy your load balancer's DNS name. You need this to access and test your load balancer's endpoint URL later.

Create and configure a user pool in account A

  1. In account A, create an Amazon Cognito user pool with an app client. For the app client, be sure to select the Generate client secret option. For more information, see Prepare to use Amazon Cognito.
    Note: During user pool creation, configure the settings that you want for production. Some user pool settings can't be changed after you create the user pool. For example, you can't change the standard attributes required for user registration.
  2. In the Amazon Cognito console, on the User pool overview section for your user pool, note the User pool ID. You need this later to gather your user pool's OIDC configuration details.
  3. Under App integration tab, navigate to Domain. Add an Amazon Cognito domain name for your user pool. It is a unique domain prefix that is required by Cognito Hosted UI
  4. Under App integration tab, navigate to App client list
  5. Choose the app client that you want to update. On the App client page, complete these steps:
    Turn on Show client secret.
    Copy the App client id and App client secret. You need these values to configure your Application Load Balancer for user authentication.
  6. On App client page, navigate to the Hosted UI section**,** click Edit.
  7. On the Edit Hosted UI page, complete these steps:
    For Identity Providers, select Cognito User Pool.
    For Add Callback URL(s), enter https://loadBalancerDNSName/oauth2/idpresponse. Or, if you mapped a custom domain to your load balancer with a CNAME record, enter https://CNAME/oauth2/idpresponse.
    Note: Replace loadBalancerDNSName with the DNS name that you copied from the Amazon EC2 console. If you're using a CNAME record, then replace CNAME with your custom domain. Make sure that your values in the URLs are lowercase, or you receive an error.
    For Add Sign out URL(s), enter the URL where you want your users to be redirected after signing out. For testing, enter any valid URL, such as https://example.com/.
    For OAuth 2.0 grant types, select Authorization code grant.
    For OpenID Connect scopes, select Openid. The openid scope returns an ID token.
    Enter any additional OAuth scopes as required by your use case.
  8. Choose Save changes.

For more information, see Configuring a user pool app client and Adding OIDC identity providers to a user pool.

Get your user pool's OIDC configuration details

Access your user pool's OIDC configuration endpoint. You need the configuration details to set up your user pool as an OIDC IdP on your Application Load Balancer.

  1. In your browser, enter this URL: https://cognito-idp.region.amazonaws.com/userPoolId/.well-known/openid-configuration
    Note: Replace region with the AWS Region of your user pool. (For example, us-east-1.) Replace userPoolId with your user pool's ID that you noted earlier.
  2. Copy the JSON response that displays in your browser. Note the values for these fields:
    authorization_endpoint
    issuer
    scopes_supported
    token_endpoint
    userinfo_endpoint

Configure your Application Load Balancer in account B

  1. In account B, on the Load Balancers page of the Amazon EC2 console, select your Application Load Balancer.
  2. On the Listeners tab, under Rules, choose View/edit rules for your HTTPS listener.
  3. In the menu bar, choose the pencil icon (Edit rules).
  4. Next to the default rule for your HTTPS listener, choose the pencil icon (Edit Rule).
  5. Under THEN, choose Add action, and then complete these steps:
    Choose Authenticate.
    For Authenticate, choose OIDC.
    For Issuer, enter the issuer value from your user pool's OIDC configuration.
    For Authorization endpoint, enter the authorization_endpoint value.
    For Token endpoint, enter the token_endpoint value.
    For User info endpoint, enter the userinfo_endpoint value.
    For Client ID, enter the App client id that you copied earlier from the Amazon Cognito console.
    For Client secret, enter the App client secret that you copied earlier.
    Expand Advanced settings.
    For Scope, enter the scopes that you configured for your user pool app client, separated by spaces. Find the scopes in your user pool's OIDC configuration. For example, if the scopes_supported value in the configuration is ["openid","email","phone","profile"], enter openid email phone profile.
    Choose the check mark icon.
  6. Under THEN, choose Add action, and then complete these steps:
    Note: If you aren't able to choose Add action, delete the current routing action (such as Redirect to). Then, try again.
    Choose Forward to.
    For Forward to, choose one or more target groups.
    (Optional) Configure Group-level stickiness.
    Choose the check mark icon.
  7. Choose Update. The HTTPS listener's default rule is updated.

For more information, see Edit a rule.

Test the setup

In your browser, enter either of these URLs:

  • https://loadBalancerDNSName/
  • https://CNAME/

Note: Replace loadBalancerDNSName with the DNS name that you copied earlier from the Amazon EC2 console. Or, replace CNAME with your custom domain.

You're redirected to the Amazon Cognito hosted web UI for your user pool. When a user signs in here and is authenticated by the user pool, they're redirected to the target.

Related information

Getting started with Application Load Balancers

Simplify login with Application Load Balancer built-in authentication

Authenticate users Using an Application Load Balancer

Listener rules for your Application Load Balancer

OIDC user pool IdP authentication flow

AWS OFFICIAL
AWS OFFICIALAktualisiert vor 8 Monaten
3 Kommentare

This setup does not work. You get a 400 when redirected to the authorization endpoint. Inspecting the URL and shortening the state query parameter resolves the 400 (but obviously doesn't fix the login). It looks like cognito and ALB are not compatible cross account :-(

Havard
beantwortet vor 9 Monaten

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
beantwortet vor 9 Monaten

It worked for me just now

duckfez
beantwortet vor 9 Monaten