Protect AWS Cognito with eID MFA

PreviousAWS NextProtect AWS IAM Identity Center with eID MFA

Last updated 8 months ago

Protect AWS Cognito with eID MFA

Scenario

In this scenario, AWS Cognito, which is the AWS platform for sign-in and management of B2C identities, using Integrity as OpenID Connect Provider. With this setup, it's possible to use eIDs such as BankID, SITHS, EFOS, Freja, Norwegian ID-porten, Foreign eID (eIDAS) or Suomi.fi to perform MFA authentication to AWS Cognito.

With this setup, it is also possible to use eIDs to fulfill sign-up and sign-in to B2C services in AWS.

In the use case described below, Freja orgID is used as the eID method.

Integrity will fetch all user attributes (claims) from the Freja orgID certificate used.

! This scenario could easily be copied and modified to fulfill:

Using other eID methods for MFA, such as SITHS, EFOS, BankID, Norwegian ID-porten, Foreign eID (eIDAS) or Suomi.fi

Prerequisite

There are some prerequisite for this use case. You will need the following:

Freja certificate. To be able to communicate with Freja backend.
AWS console administration rights.
Host (DNS) name of the Integrity service (external access)
Outgoing TCP/443 communication. To be able to communicate with Freja backend services.

Configuration

Download and extract configuration files

Open the folder where you have installed Web
1. Rename the customer folder to customer_OLD. Result should look like below: \..\FortifiedID\web\customer_OLD
1. Unzip the file
2. Copy the customer_WEB folder to \..\FortifiedID\web\
3. Rename customer_WEB to customer, result should look like: \..\FortifiedID\web\customer

Update configuration to map your environment

Globals

In this section we will look at parts of the configuration and add/replace data for your environment. In this use case we are using the globals concept which is using variables to easily replace data specific to an environment or if a value is used in many places just update it in one place.

First of all, open the file customer/config/config.json. Change the globals section according to the instructions below.

base_dir
1. base_dir is the top folder where data is located that you do not want to be overwritten by an upgrade. Update the base_dir folder to map your installation.
  1. For Windows the value should be: "base_dir": "../customer"
  2. For Docker, the value should be: "base_dir": ".",
```
"base_dir": "../customer"
```
oidc_op_address Set the oidc_op_address value to your DNS name entry, including https://.
```
"oidc_op_address": "https://be4f-194-68-171-97.ngrok-free.app"
```
keystore - https and oidc
Either you use the test certificate provided by us, if so you do not need to change anything. If you have a keystore then update the values below to point to your keystore.
1. Find in section: keystore
  "alias": "1", "key_password": "password", "password": "password", "path": "${globals.base_dir}/config/resources_internal/certificates/fortifiedid.p12"

keystore - freja

Please use your Freja keystore. Name the keystore freja.p12 and place it in the folder /config/resources_internal/certificates/Freja/. Change the password variables below to match your keystore and private key passwords. Find in section: keystore

          "freja": {
           	"alias": "1",
            	"key_password": "CHANGE_TO_MY_PASSWORD",
            	"password": "CHANGE_TO_MY_PASSWORD",
            	"path": "${globals.base_dir}/config/resources_internal/certificates/Freja/freja.p12"
            },

Save the config.json file.

Start the Integrity WEB service

Start the service and verify the start by looking through the server.log file.

Add Integrity to AWS Cognito user pool

Create User pool

Login to AWS Console
Search for Cognito
Select the service Cognito
Select User pools
(In this guide, we will create a new user pool. If you already have a user pool, modify that instead)
Click Create User pool
- Step 1
  - Select Federated Identity Providers
  - Select User name
  - Select
- Step 2
  - Select No MFA
  - Deselect Enable self-service account recovery
- Step 3
  - In the Required Attributes section, select:
    given_name
    family_name
    email
    preferred_username
    name
- Step 4
  - Select Send email with Cognito
- Step 5
  - Enter provider name = eID
  - Enter client ID = aws
  - Enter client_secret = <generate random password key and enter here. Copy for later usage>
  - Enter Authorized scopes = openid
  - Select Attribute request method = POST
  - Enter issuer URL = https://<your_host_external_dns_name>/oidc/tenant1
  - In the Map attributes section, add these mappings:
    email = email
    family_name = family_name
    given_name = given_name
    name = name
    preferred_username = preferred_username
- Step 6
  - Enter a user pool name, for example MyPool
  - Enter a Cognito Domain, such as customerauthcognito
  - App client name = MyApp
  - URL = <Your app URL>. For testing, use https://blank.page
- Step 7
  - Click Create user pool

Update Integrity with AWS Cognito ID values

Open the file customer/config/globals.aws.json. Change according to the instructions below.
1. Set client_id = AWS Cognito client ID set in previous step (AWS Cognito user pool) Set client_secret = AWS Cognito client secret set in previous step (AWS Cognito user pool) Set redirect_uri = Change the host (domain) to the value set in previous step (AWS Cognito user pool) Example:
```
  [
    {
        "client_id": "aws",
        "client_secret": "secret",
        "redirect_uri": [
            "https://customerauth.auth.us-east-1.amazoncognito.com/oauth2/idpresponse"
        ]
    }
]
```
Save the file
Restart the Integrity service

Test the configuration

Open the AWS Console -> Cognito
User pools->Open the user pool created in previous step -> App Integration->Scroll to the bottom and click on the client app
Scroll to Hosted UI
Click on View Hosted UI
Select the provider created in previous step
Fulfill Freja orgID authentication
You should now be redirected back to AWS Cognito.
Open the User pool from the console
Select users
Verify that a new user was created.

PreviousAWS NextProtect AWS IAM Identity Center with eID MFA

Last updated 8 months ago

Scenario

With this setup, it is also possible to use eIDs to fulfill sign-up and sign-in to B2C services in AWS.

In the use case described below, Freja orgID is used as the eID method.

Integrity will fetch all user attributes (claims) from the Freja orgID certificate used.

! This scenario could easily be copied and modified to fulfill:

Using other eID methods for MFA, such as SITHS, EFOS, BankID, Norwegian ID-porten, Foreign eID (eIDAS) or Suomi.fi

Prerequisite

There are some prerequisite for this use case. You will need the following:

Freja certificate. To be able to communicate with Freja backend.
AWS console administration rights.
Host (DNS) name of the Integrity service (external access)
Outgoing TCP/443 communication. To be able to communicate with Freja backend services.

Configuration

Download and extract configuration files

Open the folder where you have installed Web
1. Rename the customer folder to customer_OLD. Result should look like below: \..\FortifiedID\web\customer_OLD
Download the following ZIP-file, .
1. Unzip the file
2. Copy the customer_WEB folder to \..\FortifiedID\web\
3. Rename customer_WEB to customer, result should look like: \..\FortifiedID\web\customer

Update configuration to map your environment

Globals

First of all, open the file customer/config/config.json. Change the globals section according to the instructions below.

base_dir
1. base_dir is the top folder where data is located that you do not want to be overwritten by an upgrade. Update the base_dir folder to map your installation.
  1. For Windows the value should be: "base_dir": "../customer"
  2. For Docker, the value should be: "base_dir": ".",
```
"base_dir": "../customer"
```
oidc_op_address Set the oidc_op_address value to your DNS name entry, including https://.
```
"oidc_op_address": "https://be4f-194-68-171-97.ngrok-free.app"
```
keystore - https and oidc
Either you use the test certificate provided by us, if so you do not need to change anything. If you have a keystore then update the values below to point to your keystore.
1. Find in section: keystore
  "alias": "1", "key_password": "password", "password": "password", "path": "${globals.base_dir}/config/resources_internal/certificates/fortifiedid.p12"

keystore - freja

          "freja": {
           	"alias": "1",
            	"key_password": "CHANGE_TO_MY_PASSWORD",
            	"password": "CHANGE_TO_MY_PASSWORD",
            	"path": "${globals.base_dir}/config/resources_internal/certificates/Freja/freja.p12"
            },

Save the config.json file.

Start the Integrity WEB service

Start the service and verify the start by looking through the server.log file.

Add Integrity to AWS Cognito user pool

Create User pool

Login to AWS Console
Search for Cognito
Select the service Cognito
Select User pools
(In this guide, we will create a new user pool. If you already have a user pool, modify that instead)
Click Create User pool
- Step 1
  - Select Federated Identity Providers
  - Select User name
  - Select
- Step 2
  - Select No MFA
  - Deselect Enable self-service account recovery
- Step 3
  - In the Required Attributes section, select:
    given_name
    family_name
    email
    preferred_username
    name
- Step 4
  - Select Send email with Cognito
- Step 5
  - Enter provider name = eID
  - Enter client ID = aws
  - Enter client_secret = <generate random password key and enter here. Copy for later usage>
  - Enter Authorized scopes = openid
  - Select Attribute request method = POST
  - Enter issuer URL = https://<your_host_external_dns_name>/oidc/tenant1
  - In the Map attributes section, add these mappings:
    email = email
    family_name = family_name
    given_name = given_name
    name = name
    preferred_username = preferred_username
- Step 6
  - Enter a user pool name, for example MyPool
  - Enter a Cognito Domain, such as customerauthcognito
  - App client name = MyApp
  - URL = <Your app URL>. For testing, use https://blank.page
- Step 7
  - Click Create user pool

Update Integrity with AWS Cognito ID values

Open the file customer/config/globals.aws.json. Change according to the instructions below.
1. Set client_id = AWS Cognito client ID set in previous step (AWS Cognito user pool) Set client_secret = AWS Cognito client secret set in previous step (AWS Cognito user pool) Set redirect_uri = Change the host (domain) to the value set in previous step (AWS Cognito user pool) Example:
```
  [
    {
        "client_id": "aws",
        "client_secret": "secret",
        "redirect_uri": [
            "https://customerauth.auth.us-east-1.amazoncognito.com/oauth2/idpresponse"
        ]
    }
]
```
Save the file
Restart the Integrity service

Test the configuration

Open the AWS Console -> Cognito
User pools->Open the user pool created in previous step -> App Integration->Scroll to the bottom and click on the client app
Scroll to Hosted UI
Click on View Hosted UI
Select the provider created in previous step
Fulfill Freja orgID authentication
You should now be redirected back to AWS Cognito.
Open the User pool from the console
Select users
Verify that a new user was created.

Scenario

Prerequisite

Configuration

Download and extract configuration files

Update configuration to map your environment

Globals

Start the Integrity WEB service

Add Integrity to AWS Cognito user pool

Create User pool

Update Integrity with AWS Cognito ID values

Test the configuration

Login to AWS Cognito app with Freja orgID as the MFA method

Scenario

Prerequisite

Configuration

Download and extract configuration files

Update configuration to map your environment

Globals

Start the Integrity WEB service

Add Integrity to AWS Cognito user pool

Create User pool

Update Integrity with AWS Cognito ID values

Test the configuration

Login to AWS Cognito app with Freja orgID as the MFA method