Protect AWS Cognito with eID MFA
Last updated
Last updated
In this scenario, AWS Cognito, which is the AWS platform for sign-in and management of B2C identities, using Integrity as OpenID Connect Provider. With this setup, it's possible to use eIDs such as BankID, SITHS, EFOS, Freja, Norwegian ID-porten, Foreign eID (eIDAS) or Suomi.fi to perform MFA authentication to AWS Cognito.
With this setup, it is also possible to use eIDs to fulfill sign-up and sign-in to B2C services in AWS.
In the use case described below, Freja orgID is used as the eID method.
Integrity will fetch all user attributes (claims) from the Freja orgID certificate used.
! This scenario could easily be copied and modified to fulfill:
Using other eID methods for MFA, such as SITHS, EFOS, BankID, Norwegian ID-porten, Foreign eID (eIDAS) or Suomi.fi
There are some prerequisite for this use case. You will need the following:
Freja certificate. To be able to communicate with Freja backend.
AWS console administration rights.
Host (DNS) name of the Integrity service (external access)
Outgoing TCP/443 communication. To be able to communicate with Freja backend services.
Open the folder where you have installed Web
Rename the customer folder to customer_OLD. Result should look like below: \..\FortifiedID\web\customer_OLD
Download the following ZIP-file, USE_CASE_AWS_COGNITO_FREJA_MFA.zip.
Unzip the file
Copy the customer_WEB folder to \..\FortifiedID\web\
Rename customer_WEB to customer, result should look like: \..\FortifiedID\web\customer
In this section we will look at parts of the configuration and add/replace data for your environment. In this use case we are using the globals concept which is using variables to easily replace data specific to an environment or if a value is used in many places just update it in one place.
First of all, open the file customer/config/config.json. Change the globals section according to the instructions below.
base_dir
base_dir is the top folder where data is located that you do not want to be overwritten by an upgrade. Update the base_dir folder to map your installation.
For Windows the value should be: "base_dir": "../customer"
For Docker, the value should be: "base_dir": ".",
oidc_op_address Set the oidc_op_address value to your DNS name entry, including https://.
keystore - https and oidc
Either you use the test certificate provided by us, if so you do not need to change anything. If you have a keystore then update the values below to point to your keystore.
Find in section: keystore
keystore - freja
Please use your Freja keystore. Name the keystore freja.p12 and place it in the folder /config/resources_internal/certificates/Freja/. Change the password variables below to match your keystore and private key passwords. Find in section: keystore
Save the config.json file.
Start the service and verify the start by looking through the server.log file.
Login to AWS Console
Search for Cognito
Select the service Cognito
Select User pools
(In this guide, we will create a new user pool. If you already have a user pool, modify that instead)
Click Create User pool
Step 1
Select Federated Identity Providers
Select User name
Select
Step 2
Select No MFA
Deselect Enable self-service account recovery
Step 3
In the Required Attributes section, select:
given_name
family_name
preferred_username
name
Step 4
Select Send email with Cognito
Step 5
Enter provider name = eID
Enter client ID = aws
Enter client_secret = <generate random password key and enter here. Copy for later usage>
Enter Authorized scopes = openid
Select Attribute request method = POST
Enter issuer URL = https://<your_host_external_dns_name>/oidc/tenant1
In the Map attributes section, add these mappings:
email = email
family_name = family_name
given_name = given_name
name = name
preferred_username = preferred_username
Step 6
Enter a user pool name, for example MyPool
Enter a Cognito Domain, such as customerauthcognito
App client name = MyApp
URL = <Your app URL>. For testing, use https://blank.page
Step 7
Click Create user pool
Open the file customer/config/globals.aws.json. Change according to the instructions below.
Set client_id = AWS Cognito client ID set in previous step (AWS Cognito user pool) Set client_secret = AWS Cognito client secret set in previous step (AWS Cognito user pool) Set redirect_uri = Change the host (domain) to the value set in previous step (AWS Cognito user pool) Example:
Save the file
Restart the Integrity service
Open the AWS Console -> Cognito
User pools->Open the user pool created in previous step -> App Integration->Scroll to the bottom and click on the client app
Scroll to Hosted UI
Click on View Hosted UI
Select the provider created in previous step
Fulfill Freja orgID authentication
You should now be redirected back to AWS Cognito.
Open the User pool from the console
Select users
Verify that a new user was created.
