Follow the step-by-step instructions below to build an authenication workflow. Click on each step number to expand the section.

  • Step 1. Create an Amazon Cognito user pool

    Amazon Cognito provides authentication, authorization, and user management for your apps. A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in to your apps through Amazon Cognito.

    1. Open the Amazon Cognito console at https://console.aws.amazon.com/cognito/.
    2. On the Amazon Cognito welcome page, choose Manage User Pools.
    3. In the upper-right corner of the Your User Pools page, choose Create a user pool.
    4. For Pool name, type examplecorp_dashboard.
    5. Choose Review defaults.
    6. On the review page, choose Create pool.
    7. Make a note of the Pool Id value at the top of the details page. You will need this value in the following modules:
    •     In this module (Module 2), Step 4. Add a user and application in AWS SSO, when you specify a value for Application SAML audience.
    •     In Module 5, Step 2. Update the config.js file, when you specify a value for userPoolId.
  • Step 2. Create an app client to use the Example Corp. EUC dashboard website for signing in your users

    After you create a user pool, create an app client.

    1. In the navigation pane, under General settings, choose App clients.
    2. Choose Add an app client.
    3. For App client name, type examplecorp_dashboard_app.
    4. Keep the default value for Refresh token expiration (days).
    5. Clear the Generate client secret check box. Client secrets aren't currently supported for use with browser-based applications.
    6. Keep the rest of the default settings, and then choose Create app client.
    7. Make a note of the App client id value. You will need this value in Module 5, Step 2. Update the config.js file, when you specify a value for userPoolClientId.
    8. In the navigation pane, under General settings, choose Policies.
    9. Under What password strength do you want to require?, keep the default settings or make changes as required for your environment.
    10. Under Do you want to allow users to sign themselves up?, choose Only allow administrators to create users.
    11. Choose Save Changes.
    12. In the navigation pane, under App integration, choose Domain name.
    13. Enter a unique domain prefix for your user pool (such as examplecorp), and then choose Check availability.
    14. At the top of the page, a message notifies you whether the domain is available. After the domain is verified as available, choose Save changes.
    15. At the top of the page, make a note of the complete domain name. You will need this value in the following modules:
    •     This module (module 2), Step 4. Add a user and application in AWS SSO, when you specify a value for Application ACS URL.
    •     In Module 5, Step 2. Update the config.js file, when you specify a value for authURL.
  • Step 3. Enable AWS SSO and create an AWS organization

    AWS SSO lets you centrally manage SSO access to all of your AWS accounts and cloud applications. AWS SSO also helps you manage access and permissions to commonly used third-party software as a service (SaaS) applications, AWS SSO-integrated applications, and custom applications that support Security Assertion Markup Language (SAML) 2.0.

    When you open the AWS SSO console for the first time, you’re prompted to enable AWS SSO before you can start managing it.

    1. Open the AWS SSO console at https://console.aws.amazon.com/singlesignon.
    2. On the AWS Single Sign-on (SSO) page, do one of the following:
        •     If this is the first time you’re using AWS SSO, choose Enable AWS SSO.
        •     If you’ve used AWS SSO before, you can skip this step.
    3. If this is the first time you’re using AWS SSO and you’re not using AWS Organizations, you’re prompted to choose whether to have an AWS organization created for you.
    4. Choose Create AWS organization.
      With AWS SSO, you manage SSO access and user permissions across all your AWS accounts in AWS Organizations.
    5. After SSO is enabled and an AWS organization is created, the Welcome to AWS Single-Sign-On page opens.

  • Step 4. Add a user and application in AWS SSO

    1. To enable users to sign in through a SAML identity provider (IdP), you must first update your SAML identity provider and configure your Amazon Cognito user pool. This requires adding Amazon Cognito as a service provider (SP) to your SAML IdP. In the navigation pane of the AWS SSO console, choose Users, and then choose Add user.
    2. Under User details, do the following:
      •     For Username, enter the name that you want to use for sign-in to the user portal. This value can’t be changed later.
      •     For Password, specify whether to send an email to the user with password setup instructions (the default option), or to generate a one-time password that you can share with the user.
      •     For Email address, enter and then confirm the email address that you want to use.
      •     For First name and Last name, enter the names that you want to use. These values are required for automatic provisioning to work.
      •     For Display name, keep the default name, which is based on the values that you specified for First name and Last name, or enter a different name.
    3. Leave the remaining optional fields empty, and then choose Next: Groups.
    4. Creating a group is optional. Create a group if you want one for your environment, or skip this step.
    5. Choose Add user.
    6. At the top of the page, a message notifies you that the user was added successfully. The user receives an email with the subject Invitation to join AWS Single Sign-On. For this tutorial, if you specified yourself as the user, do the following to activate your account:
      •     In the email, choose the Accept invitation link.
      •     The AWS SSO user portal page opens with your user name already populated.
      •     Enter a password and confirm it. Make a note of this password. You will need it later in the workshop.
      •     Choose Update user.
      •     The Single Sign-On page opens, and a message notifies you that your account is successfully activated.
    7. Return to the AWS SSO console. In the navigation pane, choose Applications, and then choose Add a new application.
    8. Under AWS SSO Application Catalog, choose Add a custom SAML 2.0 application.
    9. On the Configure Custom SAML application page, for Display name, enter the following:
      examplecorp_dashboard
    10. Under AWS SSO metadata, for AWS SSO SAML metadata file, make a note of the URL. You will need the URL in Step 5. Create a Provider in Amazon Cognito, when you specify the metadata document endpoint URL.
    11. Skip the Application properties section.
    12. Under Application metadata, select the link If you don’t have a metadata file, you can manually type your metadata values.
    13. For Application ACS URL, enter the Amazon Cognito domain name from Step 2. Create an app client to use the Example Corp. website for signing in your users. Append the domain name with the following path:

      /saml2/idpresponse

      The format is as follows:

      https://<domainprefix>.auth.<region-code>.amazoncognito.com/saml2/idpresponse

    14. For Application SAML audience, enter the Amazon Cognito user pool service provider URN. To do so, enter the Amazon Cognito user pool ID that was generated in Step 1. Create an Amazon Cognito user pool. Prepend the user pool ID with the following:

      urn:amazon:cognito:sp:

      The format is as follows:

      urn:amazon:cognito:sp:<user_pool_id>

    15. Choose Save changes.
    16. The examplecorp_dashboard app details page opens.
    17. Choose the Attribute mappings tab.
    18. For Maps to this string value or user attribute in AWS SSO, enter the following value:

      ${user:email}

    19. For Format, choose unspecified.
    20. Select Add new attribute mapping and do the following:

      •     For User attribute in the application, enter the following value:

      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

      •     For Maps to this string value or user attribute in AWS SSO, enter the following value:

      ${user:email}

      •     For Format, choose unspecified.

    21. Choose Save changes.
    22. Choose the Assigned Users tab, and choose Assign users.
    23. Select the check box next to the name of the user that you created in steps 1 and 2 of this procedure, and then choose Assign users.

     

  • Step 5. Create a SAML identity provider in your Amazon Cognito user pool

    This procedure describes how to use AWS SSO as the IdP.

    1. Open the Amazon Cognito console at https://console.aws.amazon.com/cognito/.
    2. Choose Manage User Pools.
    3. On the Your User Pools page, choose examplecorp_dashboard.
    4. In the navigation pane, under Federation, choose Identity providers.
    5. Choose SAML and do the following:
      •     Under Metadata document, in the box for Provide metadata document endpoint URL, enter the AWS SSO SAML metadata file URL from Step 4. Add a user and application in AWS SSO. This URL points to the metadata document.
      •     For Provider name, enter dashboard. Make a note of this name. You will need this name in Module 5, Step 2. Update the config.js file.
      •     For Identifiers, enter the fully qualified domain name (FQDN) of the SAML users. This is the part of the user account after the @, but not including the @ symbol.
      •     Choose Create provider.

      After you create the IdP, under Active SAML Providers, dashboard appears as a provider.

    6. In the navigation pane, under Federation, choose Attribute mapping.
    7. On the SAML tab, choose Add SAML attribute.
    8. For SAML attribute, enter the following value: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
    9. For User pool attribute, choose Email.
    10. Choose Save changes.
    11. In the navigation pane, under App Integration, choose App client settings.
    12. Under Enabled Identity Providers, select the dashboard check box.
    13. For Callback URL(s), enter the CloudFront web distribution domain name URL from Module 1, Step 3. Create an Amazon CloudFront web distribution. Enter the URL with and without index.html following the domain name in a comma separated list. The format is as follows:

      https://<cloudfront_web_distribution_domain_name>,https://<cloudfront_web_distribution_domain_name>/index.html

    14. Under OAuth 2.0, select the following check boxes: Implicit grant, email, and openid.
    15. Choose Save changes.