如何让 AWS 作为 OIDC 或 SAML 提供商的 IdP? [英] How can I make AWS work as IdP for OIDC or SAML provider?
问题描述
我计划使用 IAM 和 cognito 身份池作为 OIDC 或 SAML 提供商.我的目标是在没有任何第三方集成的情况下使用 AWS 作为提供商.
I am planning to use IAM and cognito identity pool as OIDC or SAML provider.
My goal is to use AWS as the provider without any third party integration.
我查看了 IAM Identity Provider 并阅读了文档 https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html 但似乎我需要为 SAML 或来自第三方提供商的 OIDC 的提供商 URL 和受众.
I looked at IAM Identity Provider and have read through a doc https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html but it seems I need to provide Metadata document for SAML or Provider URL and audience for OIDC from third party providers.
有没有办法使用 AWS 作为提供者?我不想使用任何其他提供商.
Is there a way to use AWS as the provider? I don't want to use any other providers.
推荐答案
如果这是您的高级目标:
If this is your high level goal:
- 通过 OAuth 2.0 和 Open ID Connect 为 UI 和 API 提供现代和标准的安全性
那么 Cognito 用户池可能就是您正在寻找的.这将提供基于标准的端点,以便您可以以首选方式编写 UI 和 API.
Then a Cognito user pool is probably what you are looking for. This will provide standards based endpoints, so that you can code your UIs and APIs in the preferred way.
如果我没记错的话,身份池是一种用于获取用于访问用户特定 AWS 资源的 AWS 特定令牌的非标准解决方案.您应该能够在需要时通过让用户池与身份池通信来使用它.
If I remember rightly, an Identity Pool is a non standard solution for getting AWS specific tokens used to access user specific AWS resources. You should be able to use that when required by getting the User Pool to talk to the Identity Pool.
注意事项
从应用程序的角度来看,第一步通常总是定位 Open ID Connect 元数据端点 - UI 和 API 中的许多安全库都会使用它.
From an application viewpoint the first step is usually always to locate the Open ID Connect metadata endpoint - a lot of security libraries in UIs and APIs will use that.
Cognito 不是最成熟的系统,并且有一些烦恼和局限性.因此,保持基于 OAuth 2.0 和 Open ID Connect 的解决方案是值得的,以便您拥有最佳的长期选择 - 并且可以在需要时切换提供商......
Cognito is not the most mature of systems and has some annoyances and limitations. So it is worth keeping your solution based on OAuth 2.0 and Open ID Connect so that you have the best longer term options - and can switch providers if ever needed ...
这篇关于如何让 AWS 作为 OIDC 或 SAML 提供商的 IdP?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
