This document discusses identity federation with AWS Cognito. It aims to share knowledge and learnings about single sign-on, IAM policies, and securing tokens. It outlines challenges like securing temporary credentials and attaching resource policies to authenticated identities. It then describes solutions like adding Auth0 as an IAM identity provider and creating a Cognito identity pool mapped to IAM roles. Temporary credentials from Cognito are passed to the front-end via Lambda to access AWS resources securely. Auto renewal of tokens ensures credentials do not expire while the user is active.

1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
BENGALURU

2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Identity Federation
with AWS Cognito
Kumaravel Ponnusamy | 25-09-2018

3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Objective
• To share the knowledge and learnings in the Identity federation with
Cognito.
• Outlining the challenges and solutions pertaining to Single Sign On,
IAM policies and securing the tokens.
• Communicating with third party authentication provider and federating it
with the help of Cognito identity pool to access the AWS resources in
secure way of access to the AWS services.

4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Introduction
• We developed a web based front end application, which would connect
with AWS Serverless architecture.
• We have implemented the application with a custom authentication &
Authorization method to communicate with AWS.

5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Over All Flow

6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Business case
• Low cost of authentication and authorization.
• Interoperability within AWS Services.
• Secure communication with IoT Devices.
• Managing secure tokens between user sessions.
• Serverless application to achieve single-sign-on.

7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• Auth0
• AWS IAM
• AWS Cognito federated identity
• AWS Resources
Tools & Components

8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Challenges:
• Secured way of sharing the temporary credentials to front end.
• Time expiry of temporary credentials from Cognito.
• Attaching AWS Resource policies to the Authenticated identity.
• Connecting MQTT to AWS IoT using temporary credentials based on
RBAC.

9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Solutions
• Auth0 connectivity with IAM
• Adding Auth0 in IAM Identity provider using
following params:
• Client ID
• Client secret
• Identity provider URL

10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Solutions (Contd..)
• Cognito Identity pool
• Create federated identity which
should be mapped with following
params:
• IAM Authenticated role
• IAM Unauthenticated role
• Identity provider in OpenID

11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Solutions (Contd..)
• The session token and security key is passed to the front end using
lambda. Using sigv4 and crypto libraries front end will connected to the
AWS resources using temporary credentials.
• The session token will get expired in a particular time period even the
user in active mode.
• To avoid that use the auto renewal token to get session token before it
gets expired.

12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Questions?

13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you