SJCNet

SJCNet is the home of architect/developer/techie, Simon Coope.

Federating AWS Cognito to Azure AD

Abstract

Recently I've been working on an authentication and authorization solution for a client where they had a requirement to use Azure AD for both internal and external users while all of their application infrastructure is based in AWS. At a high-level this means that we needed to come up with a solution that would authenticate users and authorize access to AWS-based resources using roles configured in Azure AD.

Additionally, we needed to provide the external users with features to sign up for accounts and to manage their accounts (password resets, etc.).

So here's what we came up with...

Overview

Here's the high-level architecture diagram and following that is a brief overview of what each component provides in the solution:

CognitoToAWSOverview

AWS Cognito

In this solution, Cognito provides both authentication (authN) and authorization (authZ).

Authentication is provided by Azure AD via AWS Cognito User Pools. The user pool is federated to Azure AD Premium for our internal users (i.e. employees) and Azure AD B2C for our external users (i.e. external customers). In this configuration the Azure AD tenants are configured as the identity provider (IdP) in the Cognito User Pool.

In our solution the connection to Azure AD Premium is configured using SAML and the connection to Azure AD B2C uses OpenID Connect (an identity layer on top of OAuth2.0). It's worth noting here that Azure AD B2C does support SAML but at the time of writing it can only be enabled via custom policies.

Authorization is provided by configuring AWS Cognito Identity Pools to map application roles from Azure AD Premium to AWS IAM Roles. These roles can then be assumed by the user on a temporary basis to access the required AWS-based resources.

Please Note: At the time of writing Azure AD B2C doesn't provide application roles. Hence, we've had to work around this using the Azure Graph API to query the B2C users roles and workout which AWS-based resources they can access.

Azure AD Premium

Azure AD Premium is an Identity as a Service (IdaaS) solution provided by Microsoft. It is essentially a cloud-based directory and identity management service that includes features such as multi-tenancy, access management and identity protection.

As previously mentioned, in our solution Azure AD Premium is the identity provider for our internal users.

Azure AD B2C

Azure AD B2C is an identity management service that provides features that enable full identity management along with customisation of user sign-up, sign-in and profile management. It's ideally suited to allow businesses to manage the identities and access rights of their customers (hence the name).

In our solution, B2C is integrated using OpenID connect and again fulfils the role of identity provider.

AWS API Gateway

API Gateway is the AWS API Management service and in our solution is used to provide access to RESTful data services. To access these services the user must be authenticated and authorized.

API Gateway is configured to allow access to resources using an IAM Authorizer, which means we must supply AWS IAM credentials to access API Gateway resources/data.

Scenarios

To try and help readers to understand the process I'll run through a high-level scenario of what happens during the authentication and authorization processes.

To begin, the client makes a request (via HTTP) to the Cognito User Pool which forwards the authentication request to the relevant IdP (either Premium or B2C depending on the use case). The Idp returns it's response (via either SAML or OpenID Connect), which contains application roles the user is assigned in Azure AD. This response is then mapped to a JWT token in Cognito, which is then returned to the client.

When the client then attempts to access a protected resource (e.g. API Gateway resource) it must first pass it's JWT token to Cognito Identity Pools (via the AWS SDK). Cognito then maps the Azure AD Application role claim in the JWT token to a specific IAM role (via pre-configured rules) and returns the access key for that role. The client then assumes that IAM role on a temporary basis to access the resources (i.e. API Gateway resource).

Wrap Up

This has been a (very) brief overview of an implementation of AWS Cognito federating out to Azure AD Premium and B2C.

I'll drill into the specifics of how to configure AWS Cognito and Azure AD to enable the above solution. I'll also cover off some discussions and investigation into the correct OAuth2.0 grant/flow to use.

Author image
About Simon Coope
Sydney, Australia Website
Experienced developer/consultant. Loves all things development, technology, gadgets, football and running.