We are planning to setup three applications, two of them are based on WordPress, and third one is based on Magento. We will deploy these three apps on AWS. We are looking for a tool to centralize the management of all the users for these three apps. We could grant different privilege and allow the different users have different right to these three apps. So, we should choose AWS Cognito or SSO?
You can use both if you go with cognito route. Cognito User pools handles your user management (registration, login, granting tokens) while Cognito Identity Pool lets you use any of the identity providers including user pool to exchange tokens for temporary aws credentials based on what role you have attached to the group of users.
Identity pools also accept SSO with 3rd part authentication providers (federated identity). You can sign in users on your user pool using social identity providers (facebook, google, amazon) or create one using Auth0.
AWS Cognito is the right fit for your application. AWS SSO is essentially a layer between active directories and services like Cognito or Firebase. AWS SSO helps in delegating access to AWS services and provides SAML/Oauth gateways connected to the active directories.
AWS Cognito on the other hand, allows you to easily integrate your login systems with any auth providers like AWS SSO, Okta, Auth0 and social media channels too. Hence, definitely considering your requirements, AWS Cognito user pool is the best fit.
Related
It's a multi-tenant B2B SaaS application. How can I provide the Ability to provide Federated authentication with Tenant's corporate IdP for some tenants only if they choose to? For other tenants, basic UN/Password flow is required.
Do I need to use a pool per tenant or a common pool should work here?
Also, I am not planning to use the Identity pool but only the user pool as we do not need to give direct access to AWS resources.
I want to know the difference between AWS-Cognito and Shibboleth. I am unable to find the difference.
From what I can see shibboleth is a general SSO solution. It is comparable with cognito user pool which too provides user management services. The main difference between user pool and shibboleth would be that since user pools are a service offered by AWS they can be used by other AWS services directly like api gateway. IAM can be used to restrict access to signed admin API calls in userpool (eg: adminInitiateAuth)
Then we have cognito identity pool. This is used to grant access to aws resources. You can use various federated identities like facebook, amazon, openid etc as well as cognito user pool to authenticate and request for resources. You can also allow unauthenticated users to access resources.
We've implemented AWS SSO authentication with ActiveDirectory, corporate wise, for all our users. We use multiple AWS sub-accounts, so that ActiveDirectory users can connect to different AWS sub-accounts with their AD credentials, according to the AD group association with AWS policies.
This all works pretty well, however, it is not clear to me, how to implement following authorization properly. Some of our accounts have S3 buckets which should be available for all the users authenticated by the SSO, without regards of the user access rights.
What is the right way to organize that?
I am looking into using AWS-Cognito as a means to manage and authenticate users. I do not want to use aws api-gateway or any of their other services really. It seems though you can only create roles or policies if they are related to some other aws service. I'd like to have these custom roles or policies on the user's id token returned from Cognito. Is it possible to create these custom roles or policies or am I restricted to only roles and policies related to amazon services? I have found tried the Create your own policy, but it throws an error if it doesn't match a specific action or resource known to aws services. Thanks.
You can use Cognito User Pools to authenticate your users. Then you can call STS to issue temporary credentials based upon your own rules (policies). Look into examples using assumeRole().
If you want an integrated / managed service then use Cognito Federated Identities for authorization and Cognito Users Pools or Google, etc. for authentication.
Sort of confusing, but think of Cognito User Pools (or Facebook, etc.) as the Identity Provider and Cognito Federated Users as the Permissions broker.
I'm using AWS Cognito for user authentication.
The users who are logged in through Facebook/ google+ are listed in federated identity pool where as the users who are logged in through custom sign up process are listed in cognito user pool.
So, how can we manage both the list of users? Is there any way to access and manage both the list of users in a single application.
The only way to do this is to have your User Pools pool configured as a provider for your identity pool. Once that's configured, those identities should automatically show up as identities inside the identity pool with user pools as a linked login, and will be included in the ListIdentities results. See the Cognito developer guide for specifics on how to link the two, if you are unsure of how to do so.
I'm unsure from your question if you are integrating them already, but if not, Cognito does not currently support a way to list both sets of users.