使用AWS Cognito和AD FS作为Web应用程序的身份验证 [英] Using AWS Cognito and AD FS as authentication for a web app

查看:121
本文介绍了使用AWS Cognito和AD FS作为Web应用程序的身份验证的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我们目前正在使用AWS上的完整无服务器堆栈来构建Web应用程序。到目前为止,我们已经成功使用了AWS Lambda,AWS DynamoDB和Cognito用户池。此应用程序旨在作为企业应用程序,我的一位客户希望能够使用其当前Active Directory凭据登录所有用户。我过去曾在其他应用程序上使用过AD FS,但事实证明,要使其正常运行,确实有点困难。

We are currently building a web app using a full serverless stack on AWS. So far we have been very successful using AWS Lambda, AWS DynamoDB and Cognito User Pools. This application is intended to be an enterprise application and one of my clients wants to be able to log all users in using their current Active Directory credentials. I have used AD FS in the past on other applications but it has always turned out to be a bit of a hack to get it working.

现在,我想发送有关如何配置其AD FS依赖方信任以针对我的应用进行身份验证的客户说明。

Now, I want to send the customer instructions on how to configure their AD FS relying party trust to authenticate against my application.

我已阅读到做到这一点的最佳方法是创建Cognito身份链接到Cognito用户池的提供程序。在用户池中,您应该创建一个SAML提供程序,并从AD FS服务器上载metadata.xml。

I have read that the best way to do this is to create a Cognito Identity Provider that links to a Cognito User Pool. In the User Pool you should create a SAML provider and upload the metadata.xml from the AD FS server.

我已经使用AD FS设置了实验室服务器,我可以得到那个工作。现在,我不确定在依赖方信任设置或Cognito设置方面我做错了什么。我已经有很长时间了,并且阅读了几乎所有我能找到的博客文章。如果有人可以帮助我或指出正确的方向,将不胜感激。

I have set up a lab server with AD FS and I can get that working. Now I am not sure what I am doing wrong in terms of the Relying Party Trust setup or the Cognito setup. I have been at this for ages and read just about every blog article I can find. If anyone can help me out or point me in the right direction that would be greatly appreciated.

推荐答案

经过无奈之后,我可以现在回答这个问题,所以我决定为这些挣扎的初学者提供一个简单的分步答案。

After much frustration, I can now answer this question so I decided to put together an easy step-by-step answer for beginners with these struggles.

我只是进入身份验证设置,而不是授权。授权需要IAM角色和其他特定于体系结构的逻辑。我很乐意在其他地方讨论。

I am only going into the authentication setup and not the authorisation. Authorisation requires IAM roles and some other logic that is architecture specific. I'm happy to discuss that elsewhere.

这种设置有两个组成部分:

There are 2 components to this kind of a setup:


  1. 具有联合身份提供商的AWS Cognito用户池

  2. 已安装AD FS的Windows Server



创建Cognito用户池域



在Cognito用户池中的常规设置下,选择应用程序客户端,如果没有则添加一个(以后将需要ID)。

Creating the Cognito User Pool domain

In the Cognito User Pool under General Settings, select App clients and add one if there are none (you will need the ID later).

然后转到下的域名 >应用集成,然后选择一个有效的域前缀并保存。

Then go to Domain Name under App Integration and choose a valid domain prefix and save it.

您将需要让公司建立依赖方信任。所需步骤如下:

You will need to get the company to setup a relying party trust. The steps required are as follows:


  1. 打开AD FS管理控制台

  2. 创建新的依赖关系第三方信任

  3. 选择手动输入详细信息

  4. 输入易于识别为您应用程序的信任的名称

  5. 选择使用ADFS 2.0

  6. 在此示例中,不需要证书,因此只需单击下一步

  7. 选中该复选框即可启用S​​AML 2.0协议并以以下格式输入URL: https://< domain_prefix> .auth。< region> .amazoncognito.com / saml2 / idpresponse (域前缀已在上一步中设置)

  8. 依赖方信任标识符必须为 urn:amazon:cognito:sp:< pool-id> ,其中 pool-id 是在用户池的常规设置中找到的AWS Cognito用户池ID

  9. 允许所有用户进行身份验证(假设这是您的意图)

  1. Open the AD FS management console
  2. Create a new relying party trust
  3. Select to enter the details manually
  4. Enter a name for the trust that is easily identifiable as your application
  5. Select to use ADFS 2.0
  6. In this example, there is no need for a certificate so just click next
  7. Select the checkbox to enable the SAML 2.0 protocol and enter the URL in this format: https://<domain_prefix>.auth.<region>.amazoncognito.com/saml2/idpresponse (domain prefix is set in the previous step)
  8. The relying party trust identifier needs to be urn:amazon:cognito:sp:<pool-id> where pool-id is the AWS Cognito User Pool id found in the General Settings of the user pool
  9. Permit all users to authenticate (assuming that is your intention)

现在您需要向依赖方信任添加声明。

Now you need to add claims to the relying party trust.


  1. 右键单击依赖方信任,然后单击编辑声明

  2. 创建一个发送LDAP属性的新声明

  3. 给它命名(我通常使用 Profile ,但这取决于您)
  4. 根据需要在表中填写属性存储Active Directory

  5. 。要求是要返回名称ID (我通常使用用户主体名称映射到名称ID )。该表的其余部分根据您的需要。例如, Given-Name 可以映射到 FName

  1. Right-click on the relying party trust and click edit claims
  2. Create a new claim that sends LDAP attributes
  3. Give it a name (I normally use Profile but this is up to you)
  4. Make the attribute store Active Directory
  5. Fill in the table as you need. A requirement is that you have a Name ID being returned (I normally use the User-Principal-Name mapping to Name ID). The rest of the table is as you need. For example, Given-Name can map to FName



AWS Cognito用户池



因此,作为应用程序开发人员,您需要设置Cognito用户池。通过向导并选择您喜欢的设置。无论如何,联合身份不一定与用户池本身具有相同的规则。

Federated Identities in AWS Cognito User pool

So as the application developer, you need to setup the Cognito User pool. Go through the wizard and choose your prefered settings. The federated identities don't necessarily play by the same rules as the user pool itself anyway.

设置联合身份的步骤为:

The steps to setup the federated identity are:


  1. 在Cognito用户池中,选择联邦下的身份提供者

  2. 单击SAML

  3. 提供元数据文档终结点(通常以 https://< fqdn> /FederationMetadata/2007-06/FederationMetadata.xml )。如果您随后无法下载该文件并通过单击选择文件来上传该文件

  4. 输入对您有意义的提供商名称,但请确保不要在名称中放置任何空格

  5. 标识符是可选的(请参阅下面的用法)

  6. 选中启用IdP退出流程将使您的用户退出其联合身份以及

  7. 点击创建提供商

  1. In the Cognito user pool select Identity Providers under Federation
  2. Click on SAML
  3. Provide the metadata document endpoint (normally in the form of https://<fqdn>/FederationMetadata/2007-06/FederationMetadata.xml). If you can't then download that file and upload it by clicking "Select File"
  4. Enter a provider name that makes sense to you but make sure not to put any spaces in the name
  5. The identifiers are optional (see below for their use)
  6. Checking enable IdP sign out flow will sign your users out of their federated identity as well as your application on sign out.
  7. Click create provider



联合身份的属性映射

Attribute Mapping for Federated Identity


  1. 通过转到位于 Federation 中的属性映射,为联邦身份创建字段映射

  2. 选择 SAML

  3. 点击添加SAML属性

  4. 确保已选中捕获,从上方输入SAML属性(例如FName),然后选择其映射到的用户池属性。

  1. Create the field mappings for the Federated Identity by going to Attribute Mapping under Federation in the user pool.
  2. Select SAML
  3. Click Add SAML Attribute
  4. Make sure Capture is checked, enter the SAML attrbites from above (such as FName) and select the user pool attribute that it maps to.



设置App客户端



测试之前的最后一步是设置您先前创建的应用程序客户端。

Setting up the App Client

The last step before testing is to setup the app client that you created earlier.


  1. 转到应用程序客户端设置 >在应用集成

  2. 输入适当的应用客户端的设置

  3. 选择所有适当的身份提供商(特别是

  4. 您可以设置以逗号分隔的回调和注销URL列表。回调URL应指向在身份验证后将使用令牌的位置(请参见下面的测试)。

  5. 根据需要选择OAuth 2.0属性,但为了进行测试,请选择除客户端凭据

  1. Go to App Client Settings under App Integration
  2. Enter the settings for the appropriate app client
  3. Select all the appropriate identity providers (specifically the one setup above)
  4. You can set a comma-separated list of callback and logout URLs. The callback URLs should point to somewhere that will use the token after authentication (see testing below).
  5. Select the OAuth 2.0 attributes as required but for testing select everything but Client credentials



测试



要进行测试,您可以尝试一些不同的URL,其形式为:-

Testing

To test, you can try a few different URLs in the form of: -


  • https://< domain_prefix> .auth。< region> ; .amazoncognito.com / authorize?idp_identifier =< idp_identifier>& response_type = token& client_id =< app_client_id>& redirect_uri =< app_client_callback_URL> 直接转到授权端点

  • https://< domain_prefix> .auth。< region> .amazoncognito.com / login?response_type = token& client_id =< app_client_id>& redirect_uri =< app_client_callback_URL> 转到AWS托管的登录UI

  • https://<domain_prefix>.auth.<region>.amazoncognito.com/authorize?idp_identifier=<idp_identifier>&response_type=token&client_id=<app_client_id>&redirect_uri=<app_client_callback_URL> to go directly to the authorize endpoint
  • https://<domain_prefix>.auth.<region>.amazoncognito.com/login?response_type=token&client_id=<app_client_id>&redirect_uri=<app_client_callback_URL> to go to the AWS hosted login UI

idp_identifier 是在cre时定义的可选字段确定联合身份。网址中也不是必需的。

The idp_identifier is the optional field defined when creating the federated identity. This is not required in the URL either.

一页Web应用程序是一个很好的工具,可用于测试事情是否正常并且您是否获得了期望的响应。

This one page webapp is a good tool to use to test that things are working and you are getting the desired response.

我希望这对其他人有帮助。

I hope this helps other people.

这篇关于使用AWS Cognito和AD FS作为Web应用程序的身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆