How do I set up my Application Load Balancer to authenticate users through an Amazon Cognito user pool in another AWS account?

Last updated: 2020-05-27

I want to use Amazon Cognito authentication on my Application Load Balancer, but my user pool is in another AWS account. Can I use a cross-account user pool for authentication?

Short Description

Currently, only Amazon Cognito user pools in the same account are supported by default when configuring your Application Load Balancer for user authentication. However, as a workaround you can set up your cross-account user pool as an OpenID Connect (OIDC) identity provider (IdP).

Follow these instructions to configure your Application Load Balancer in one account ("account B") for authentication through a user pool in another account ("account A").

Resolution

Create an Application Load Balancer

If you haven't done so already, in account B create an Application Load Balancer with an HTTPS listener.

Note: The authenticate-cognito and authenticate-oidc rule action types are supported only with HTTPS listeners.

Get the DNS name of your Application Load Balancer in account B

  1. In account B, open the Load Balancers page of the Amazon Elastic Compute Cloud (Amazon EC2) console.
  2. Select your Application Load Balancer.
  3. On the Description tab, copy your load balancer's DNS name. You need this to access your load balancer's endpoint URL for testing later.

Create and configure a user pool in account A

  1. In account A, create an Amazon Cognito user pool with an app client. For the app client, be sure to select the Generate client secret check box. For more information, see Prepare to Use Amazon Cognito.
    Note: During user pool creation, configure the settings that you want for production. Some user pool settings can't be changed after you create the user pool. For example, you can't change the standard attributes required for user registration.
  2. In the Amazon Cognito console, on the General settings page for your user pool, note the Pool Id. You need this later for getting your user pool's OIDC configuration details.
  3. In the left navigation pane, under General settings, choose App clients.
  4. On the App clients page, do the following:
    Choose Show Details.
    Copy the App client id and App client secret. You need these later for configuring your Application Load Balancer for user authentication.
  5. In the left navigation pane, under App integration, choose App client settings.
  6. On the App client settings page, do the following:
    Under Enabled Identity Providers, select the Cognito User Pool check box.
    For Callback URL(s), enter https://loadBalancerDNSName/oauth2/idpresponse. Or, if you mapped a custom domain to your load balancer using a CNAME record, enter https://CNAME/oauth2/idpresponse.
    Note: Replace loadBalancerDNSName with the DNS name that you copied from the Amazon EC2 console. If you're using a CNAME record, replace CNAME with your custom domain.
    For Sign out URL(s), enter a URL where you want your users to be redirected after signing out. For testing, you can enter any valid URL, such as https://example.com/.
    Under Allowed OAuth Flows, select at least the Authorization code grant check box.
    Under Allowed OAuth Scopes, select at least the openid check box. The openid scope returns an ID token. Select any additional OAuth scopes according to your requirements.
  7. Choose Save changes.
  8. In the left navigation pane, under App integration, choose Domain name.
  9. Add a domain name for your user pool.

For more information, see Configuring a User Pool App Client and Adding OIDC Identity Providers to a User Pool.

Get your user pool's OIDC configuration details

Access your user pool's OIDC configuration endpoint. You need the configuration details to set up your user pool as an OIDC IdP on your Application Load Balancer.

  1. In your browser, enter the following URL:
    https://cognito-idp.region.amazonaws.com/userPoolId/.well-known/openid-configuration
    Note: Replace region with the AWS Region of your user pool. (For example, us-east-1.) Replace userPoolId with your user pool's ID that you noted earlier.
  2. Copy the JSON response that you see in your browser. Note the values for the following:
    authorization_endpoint
    issuer
    scopes_supported
    token_endpoint
    userinfo_endpoint

Configure your Application Load Balancer in account B

  1. In account B, on the Load Balancers page of the Amazon EC2 console, select your Application Load Balancer.
  2. On the Listeners tab, under Rules, choose View/edit rules for your HTTPS listener.
  3. In the menu bar, choose the pencil icon (Edit rules).
  4. Next to the default rule for your HTTPS listener, choose the pencil icon (Edit Rule).
  5. Under THEN, choose Add action, and then do the following:
    Choose Authenticate.
    For Authenticate, choose OIDC.
    For Issuer, enter the issuer value from your user pool's OIDC configuration.
    For Authorization endpoint, enter the authorization_endpoint value.
    For Token endpoint, enter the token_endpoint value.
    For User info endpoint, enter the userinfo_endpoint value.
    For Client ID, enter the App client id that you copied earlier from the Amazon Cognito console.
    For Client secret, enter the App client secret that you copied earlier.
    Expand Advanced settings.
    For Scope, enter the scopes that you configured for your user pool app client, separated by spaces. You can find the scopes in your user pool's OIDC configuration. For example, if the scopes_supported value in the configuration is ["openid","email","phone","profile"], enter openid email phone profile.
    Choose the check mark icon.
  6. Under THEN, choose Add action, and then do the following:
    Note: If you can't choose Add action, delete the existing routing action (such as Redirect to) using the trash can icon, and then try again.
    Choose Forward to.
    For Forward to, choose one or more target groups.
    (Optional) Configure Group-level stickiness.
    Choose the check mark icon.
  7. Choose Update. The HTTPS listener's default rule is updated.

For more information, see Edit a Rule.

Test the setup

In your browser, enter either of the following URLs:

  • https://loadBalancerDNSName/
  • https://CNAME/

Note: Replace loadBalancerDNSName with the DNS name that you copied earlier from the Amazon EC2 console. Or, replace CNAME with your custom domain.

You're redirected to the Amazon Cognito hosted web UI for your user pool. When a user signs in here and is authenticated by the user pool, they're redirected to the target.