AWS Cognito allows your users to sign in directly to your website or app with a username or password. AWS Cognito has two main components called user pools and identity pools. User pools are directories which allow client app users to sign-up or sign-in by giving out user pool tokens. Identity pools enable client app users to access other AWS services by allowing exchange of user pool tokens between client app and other AWS services.
miniOrange Supports the following Usecases for AWS Cognito
miniOrange provides SSO based plugins for AWS Cognito supporting different protocols like OAuth, SAML, JWT for signing to client applications including WP / Joomla / Drupal / Atlassian.
miniOrange SAML plugin enables SSO into client applications using Cognito User Store as identity source. The plugin uses identity details from Cognito pool and provides SSO based access to client applications.
miniOrange IdP enables users to SSO into AWS Cognito. The end user first authenticates through miniOrange Idp by SSO using miniOrange Console, and is then redirected to his AWS account.
miniorange Single Sign On plugin can use AWS Cognito as Identity Provider. The miniOrange SSO plugin forwards user authentication requests to AWS Cognito. After successful authorization using AWS Cognito credentials, the user is given access to the requested resource.
1. An unknown user tries to access the resources.
2. miniOrange sends an authorization request to AWS Cognito.
3. AWS Cognito asks the user to login and authorizes the application.
4. User is redirected to the login page where the user logs in.
5. The AWS Cognito Server authenticates the user and sends the authorization code to miniOrange SSO Connector.
6. The OAuth Client sends its own client_id, client_secret with the authorization code that has received from AWS Cognito Server.
7. AWS Cognito Server authenticates the request and sends the Access token to miniOrange SSO Connector.
8. miniOrange SSO Connector uses the access token to access resources on the resource server.
9. AWS Cognito Application returns user information like first name, last name, Email & other attributes corresponding to the user to which access token was assigned.
10. miniOrange SSO Connector logs in the user with received attributes.
11. Now, the user authenticated and logged in. Thus, the application gives access to the resources.
With miniOrange Identity broker service you can delegate all your single sign on requirements, user management, 2 factor authentication and even risk based access at the click of a button and focus on your business case. We can integrate with any type of app even if it does not understand any standard protocol like SAML, OpenId Connect or OAuth. miniOrange Single Sign-On Service can establish trust between two apps via secure https endpoint and automated user mapping to achieve SSO.
You can configure any User store like AWS Cognito to single sign-on into applications which don’t support any protocol or supports protocols other than OAuth like SAML, WS-FED, JWT, etc. for single sign-on using miniOrange cross-protocol support.
For example, you can configure the miniOrange broker service to use AWS User Pool and single sign-on into an external application, such as mobile application based on Cordova platform. We will authenticate our mobile application through AWS User pool using JWT tokens.
1. An unknown user tries to access any external application.
2. The Application sends an authentication request to miniOrange broker service, using any protocol that the application supports.
3. The miniOrange broker service forwards the authentication request to AWS Cognito.
4. User is redirected to AWS Cognito login page, where the user enters their credentials to authorize the application.
5. The AWS Cognito Server authenticates the user and sends the response to miniOrange broker service.
6. miniOrange broker service sends an authentication response to the Application. This response contains the user’s information as well as the authentication status, based on which the user is given access to the resource.
7. Upon successful authentication, the user is given access to the resource.
AWS Cognito can be configured to use any SAML Identity Provider. miniorange SAML Identity Provider for user authentication. When a user requests access for a resource, Cognito sends a SAML authentication request to miniOrange IdP and the user has to login with their miniOrange account. On successful authentication, the user is provided access to the resource.
1. An unknown user tries to access AWS Cognito Application.
2. AWS Cognito creates a SAML authentication Request and sends it to the configured Identity Provider. The user is prompted to log in with their Identity Provider account.
3. The SAML Identity Provider sends back a SAML Response to the AWS Cognito application. This response contains the user’s information as well as the authentication status, based on which the user is given access to the resource.
4. Upon successful authentication, the user is given access to the site.