I would like to use Amazon Cognito with my own identity provider like this:
How can I do that? (I'm working on an Amplify project).
I find this documentation but it's not helpful:
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html
https://docs.amplify.aws/lib/auth/getting-started/q/platform/js/
Regards
I believe what you are trying to do is Identity Federation via Cognito user pool.
In order to do that, your Identity Provider should support OpenId Connect (OIDC) or SAML. Then you can configure your IDP in Cognito either using OIDC or using SAML.
Then in your application you can use Auth.federatedSignIn() along with the provider that you have configured.
Something similar is discussed in this blog post as well.
Related
Federation identity are like sign up with Google, or sign up with Facebook. I want to migrate from Auth0 to Azure, but the problem is I can't find any proper documentation that explains what happen to those users who signed up using their Google or Facebook account.
There are good documentation for username and password users, but there is not anything special for federation identity users.
Does anyone know how to migrate them?
I have the same question for Amazon Cognito and other alternative services
This is not always straightforward, because some IdPs issue a different UUID per Application Registration. If you can re-use the exact same Application Registration at Facebook, for example, with AAD B2C, then this can be fairly easy.
There is an example here:
https://github.com/azure-ad-b2c/samples/tree/master/policies/link-local-account-with-federated-account
All you need to do is pre-create the Local accounts in AAD B2C, and provide the expected UUID from the federated IdPs token to the Local account user object in AAD B2C. AAD B2C can then link the account when the user comes in with that Facebook account.
is it possible to use AWS Cognito that has a custom authentication flow enabled, while also using an external identity provider like Facebook or Google? I've tried this with Facebook and the Cognito Hosted UI, but my DefineAuthChallenge-trigger was not hit.
I contacted AWS Support and they pointed me to the Cognito documentation here where a note says that
The Amazon Cognito hosted sign-in web page does not support the custom authentication flow.
As an alternative, this solution was proposed:
Alternatively, if you would like to use custom authentication flow with an external identity provider, you will have to write your own custom login flow using one of Cognito's SDKs and use Facebook as a way of login.
My idea is that you can probably do this by defining a custom challenge, that asks, which identity provider you want to use, as the first, initial challenge. If Cognito is chosen, the user needs to provide their SRP-stuff or username and password, if that is enabled. If Facebook is chosen for example, you would probably need to send an auth challenge to the client saying that you want a token or code from them, which can only be gotten, if the client shows the website with the Facebook login. The challenge response to the server would then be the gotten auth token from Facebook or code or some other answer that the server can then use to authenticate the user within Cognito, where the Facebook app is connected and is registered as an external identity provider
This is my idea of how I would go about to do this, but I haven't actually implemented this. I hope this helps someone trying to do this though.
Please note I am new to the applications I am mentioning so I might use the terminology incorrectly. I've added a few diagrams to explain myself as best I could.
I am trying to setup a web service authentication policy in APIMAN (which uses Keycloak internally)
So far I know the Identity Provider (OpenAM) I created in Keycloak is configured correctly since it is working on the Login page (see image 1 below)
I have also successfully used an access_token via Keycloak's OpenID API to access a web service; but only if the user credentials are in Keycloak (as oppossed to OpenAM) (see image 2)
What I'd like to achieve is to authenticate this web service client via Keycloak but using the Identity Provider's credentials, but I do not know how to do this or if it is even possible. (see image 3)
Please note I also tried User Federation with the LDAP behind OpenAM and it worked correctly, but I would like to know if there is a way to do it via OpenAM.
The way you used keycloak and openam is quite unusual, however if i understand correctlly your question, you want keycloak to redirect the webservice request to openam, not ldap,
You can either:
configure openam as a identity provider using saml:
Openam would be your source of identity, and keyclaok would be his clients, you can do this by configuring keycloak: identity provider -> saml IDP -> and here you will place openam metadata.
configure openam as OIDC provider:
In keycloak you go to identity providers -> create -> oidc v1 provider -> and you will place your openam info.
As i said, its can be done, but its not the way its suppossed to be, openam and keycloak are both Access management software, they both do exactly the same thing, in your configuration keycloak play a role of an API gateway, which is not exactly what keycloak should be doing, you can get get rid of either one of the solutions, both can provide you the same functionnalities (OIDC, OAuth2, SAML, LDAP, ...)
I'm trying to deploy a SOAP based authentication API in WSO2 Identity Server.
I want to deploy an Identity Provider based on JDBC (MySQL) User Store and expose it in a Service Provider to authenticate (user, password) and register users.
The User Store is already configured by MySQL. But, I don't find a clear documentation/tutorial/example to do this.
Can anyone help me?
Thanks.
I answer my own question:
http://soasecurity.org/2013/12/10/user-role-management-with-wso2-identity-server-apis/
Identity Server has an API to management user role, allowing authenticate, addUser, etc.
We are working in an iOS application and we use back-end in azure. We have 2 types of login, one is Facebook login (using Fb as identity provider) and the other will be login directly to our system.
We decided to use ACS but we had a bunch of technical problems. My question is is it possible to create custom identity provider, which will be a service (for example WCF or WEB API) to generate a token that we pass the ACS to get the claim token. Does ACS support that kind of service interface? If so what what is the practice of generating tokens in our custom identity provider?
Thanks in advance,
Deuce
ACS can support any identity provider that speaks a protocol it understands. Depending on the backend behind your identity provider, you can use something like ADFS or write your own identity provider using WIF. ACS doesn't support mixing and matching web-based identity providers with WCF-based ones, which means that you'll need to expose a website that ACS can redirect a browser to using the WS-Federation protocol. The only external contract you have is that ACS will redirect users to you and you need to log them in (what that means for your IdP is up to you) and issue a token back to ACS.
There are literally whole books on how to write your own STS using WIF, to get started there are a number of resources that can help, including the WIF SDK (which provides a template for the STS), this whitepaper (see the section "Using Windows Identity Foundation to Build a Security Token Service"), or this blog post.