How do I structure AWS Cognito for multiple businesses? - amazon-cognito

I'm working on setting up a product that can be used by multiple companies. These companies would authenticate via a Federated Identity (Google and Microsoft). Once logged in, they will be presented with a dashboard that has data tied to their account.
My current thinking is:
User enters their company email
An API is triggered that will lookup the identity provider given the company email's domain (EX: "#someCompany.com")
API will respond with a redirect URL to SSO.
Should I be making a User Pool for every company that registers with my product? Or should I be creating Groups within a single User Pool for each company?

Related

As G Suite Admin, can I monitor in any way which Google API's (Gmail, etc) have been accessed for a list of user accounts

According to the docs, Google Apps domain administrators can grant service accounts domain-wide authority to access user data on behalf of users in the domain. My understating is this gives service account authority to access data for all users inside the domain.
Is there a way for the G Suite Admin to monitor or check which user accounts (and consequently which Google API's [Gmail API, Calendar API, Contacts API]):
a. have been accessed or not?
b. By whom have they been accessed?
c. When were they accessed?
d. How long were they accessed?
I ask this because I have extensively searched this information and found nothing. As a G Suite Admin, in the Reports section, the reports such as App Activity, Admin Audit Log, Account Activity, User Accounts Audit Log, etc have not provided me answers to the above 4 questions. Also, under API's and Services -> Dashboard, I can't view which API's were accessed, by whom, when were they accessed, etc? The Dashboard shows nothing? What is the dashboard supposed to show?
My requirement is to view and monitor details regarding access to user accounts.
Consider the following scenario:
There are 100 user accounts for a company (say, xyz.com) created under a service account and the G Suite Admin of xyz.com has provided API access (Gmail API, Calendar API and Contacts API through a JSON file) to a private website (for example, pqr.com). Even though pqr.com has domain authority access to all 100 users of xyz.com, pqr.com has only accessed 40 out of the 100 users of xyz.com.
Question: Is there a way where the G Suite Admin of xyz.com may know the following:
a. Which 40 user accounts (out of the 100 accounts of xyz.com) were accessed?
b. When were these 40 accounts accessed? (Day and Time, etc)
c. How long were they accessed for?
d. Also, consider if pqr.com agreed to access only 40 accounts of xyz.com but actually accessed, say 80 accounts, then G Suite Admin should of xyz.com should be able to track that. Is this possible?
Is there any alternative way to solve this problem?
Note: I have already searched for the solution where I wanted to know if API access (for e.g. Gmail, Contacts and Calendar API) could be provided through a JSON file by a G Suite Admin only for a list of users (not all users) for a service account (Created within a project) and research and responses on StackOverflow told me its not possible so I wanted to know if a monitoring mechanism is possible for domain-wide access?
You have that information in the Reports API.
You have the scopes requested but it will not tell you exactly which API endpoints have been used. Also note that the tokens are valid for 1 hour so you can assume they were used at least for 1 hour after an "authorize" event.

How to use same account for multiple companies (Just like a same account can be used for multiple workspaces on Slack)

I am working on a web application which is based on Google App Engine (GAE). The requirement of the application is that one user can be associated with multiple company accounts.
My application has two main types of accounts. One is that main Admin/Company account. Other is the employee account (i.e. the persons who work under a company). Now, what I want to do is that to allow an employee to work under more than one companies, but he does not have to make a separate account for each company. His single account can be associated with multiple companies.
I have explored different platforms which are already supporting this feature. The major ones which I found are Slack and Asana. And my problem can be perfectly mapped to what Slack is doing right now i.e. I create a single account on Slack and I can join multiple workspaces on Slack using this single account.
I want to achieve the same in my application too. I am curious that how Slack is supporting this feature right now? Does it send some ID with every request to the server which indicates that the activity which just has been done is associated with the workspace under this ID? Or there is some unique sort of token associated with every workspace (on Slack API level)?
I do have such a model in my app. A unique auth_token is associated with every company account. So, I am thinking that when an employee wants to do an activity for a specific company he will send this unique token with the request to the server so that server knows for which company the activity was performed.
Does anybody know what is the best way of achieving this?
There are two different concepts at work here:
Relation between account and company / workspace
The data structure for the Slack account is designed such that it can be linked to multiple Slack workspaces, e.g. in SQL you would have a many-2-many relation between the accounts and the workspaces table.
Staying logged in
The way Slack and others Single-Sign-On provides like Google SSO keep you logged in is by settings a browser cookie. That cookie would usually be some kind of crypto hash and the SSO provider will use it to identify to which account the current user belongs to or to request a login via OAuth if the cookie is missing / invalid.
This can also be achieved partly with server sessions (which also uses cookies). Using server sessions is easier to implement than implementing your own (secure) cookie solution, however the user will only stay logged in as long as the browser stays open. But that should be sufficient for most solutions.
Note that tokens for the Slack API work very differently. e.g. they have to be generated per workspace, user and app.

Another account access my Analytics API

I want to build a dashboard to my clients access your respective website analytics. But, after some research, I'm stuck.
Let's imagine the scenario:
My Analytics Account:
Client X - websitex.com
Client Y - websitey.com
In my dashboard, when the cliente Y log in, the data (pageviews) of websitey.com is shown on graphics.
But, there's a way to do that? By the moment, the only thing i got is retrieve information for my logged account (my analytics ID), not the information about another account.
There's a way to use the Google API, or, I'll have a "separate database" to save data each website?
Sorry, I'm really lost at the moment.
You can only view Google Analytics Accounts that you are authorized to view. For some reason this is a source of major confusion (seeing that your are not the first to ask), although it should be fairly self-evident.
If you want to see data from your clients account you have to ask your client to add your Google email to the GA account. If an email address is added to multiple accounts you can, via the API, choose between the accounts. Clientside authorization (OAuth2) will only work as long as somebody is logged in via a client application (usually a browser). The practial effect is that everybody who is authenticated via OAuth against Google will see only his own GA accounts, not other peoples data.
If you want a serverside application to pull data from various GA accounts you need a service account. But even the service account needs to be added to the GA accounts.
You can use the core reporting API, but the API will not give you access to accounts that you are not authorized to look at; your client needs to authorize you (or your applications service account).

how to generate google oauth for a site with multiple games

I am creating an arcade website with multiple games. should I generate a single oauth client id for the entire domain or should I generate a unique oauth id for each individual game?
The more interesting question is: What user experience would you like to give users?
If you want to build your brand across each of the games, you'll configure a single project (ZBestArcadeGames.com, for instance) in Cloud console. Users will be prompted to authorize your entire site. Whether you create one client or multiple clients in this case is not super-important, since you can configure multiple redirect_uris for a single client. Users will consent once to sign-in to your site and they can authenticate to every game w/o additional consent prompts. Similarly, if they revoke access to your site, they will no longer be able to authenticate to any game in the site. This may be the typical choice if your company develops all games it hosts.
If, on the other hand, you want to highlight the individuality of each game and allow users to consent / de-authorize authenticating to them individually you need to create separate projects each with its own brand (and in this case you will need to configure at least one client in each project). This may be the typical choice if each of the games is developed by a company and there's no implied trust between the games you host and your company, and you'd not like to sign terms-of-service on behalf of these other companies--you might even want to ask the developers of each original game to register separately (using the redirect_uri for your site).

How would Google Multiple Accounts Sign-in be implemented?

Google published that they are testing a feature that allows you to sign in simultaneously to multiple Google accounts in the same browser.
Any idea how would that be implemented ?
I don’t have any inside info on how multiple accounts are actually supported, but here’s what I presume:
Your cookie holds a security token, just like in the old days.
The security token now maps to a set of signed-in accounts on the server.
I’d guess there’s a notion of an active account among this set.
When you go to a Google service that implements multiple-account support, the service pulls down your active account and drops you into that account by default.
Then, you get presented with some UI that lets you toggle between your other signed-in accounts or lets you sign into a new account.