Amazon Cognito supports OPENID auth and OATH. Is it possible to use LDAP instead to authenticate the user?
You can support any authentication system with Cognito, but you will need to use a slightly different authentication flow than existing public providers. Instead of calling Cognito directly from the device you will need to construct your own backend that will handle the authentication then call Cognito to establish the trust of your identity.
Please see the following for more details:
Amazon Cognito : Announcing Developer Authenticated Identities
Understanding Amazon Cognito Authentication Part 2: Developer Authenticated Identities
Related
I have an API that is currently secured by Identity server 3.
We are moving to AWS Cognito to login.
When a user signs up, I need to call our current API to make sure their username is in our database. How do I do this with a lambda function?
And how can I secure our API (which is hosted on our server), with the Cognito auth?
You can use pre-sign up lambda trigger on Cognito for check db.
I am trying to create jmeter script for login in to iphone native app. App is using cognito to authenticate the user.
As response of first page of app I am getting SALT and Secret block.
I am passing this secret block in and other required parameters in next request, however I got error message as "User name or password is in correct".
Did anyone worked successfully on similar things which can help me.
Looking into Amazon Cognito page:
Social and enterprise identity federation
With Amazon Cognito, your users can sign in through social identity providers such as Google, Facebook, and Amazon, and through enterprise identity providers such as Microsoft Active Directory via SAML.
Standards-based authentication
Amazon Cognito User Pools is a standards-based Identity Provider and supports identity and access management standards, such as Oauth 2.0, SAML 2.0, and OpenID Connect.
You will not be able to record and replay none of the mentioned protocols, depending on underlying identity provider mechanism you will either need to apply advanced correlation or a way to provide the required Bearer Token.
So you need to identify which identity mechanism is used under the hood and amend your JMeter test accordingly.
Reference material:
How to Load Test SAML SSO Secured Websites with JMeter
OpenID Connect - How to Load Test with JMeter
How to Run Performance Tests on OAuth Secured Apps with JMeter
Recently I read this article:
http://aws.amazon.com/articles/SDKs/Android/4611615499399490
Now my question is...
Can the Amazon STS (Security Token Service) used as a Token Vending Machine to manage user sessions for a clients of a Web Server (As opposed to Clients of AWS Services)?
Assume I have a Web Application. And this Web Application has Registered Users who are Authenticated with Login Credentials. Now I wish to issue a Session Token to these Users who are Authenticated.
1. User -> Web App -> User Login Page
2. User gives Credentials -> Web App -> Issues a Session Token (with expiry policy)
3. User the Session token -> Web App Resources (Non-AWS Resources proxy-ed by the Web App)
Can I use the Amazons Simple Token Service independently for the above Usecase? Or is Amazon STS only available for access to Amazon Services only?
The reason I wish to use Amazon STS is because they are :
- I don't have to worry about Session Token management
- Proven and Scalable
Please help. I am a little confused about this.
STS will provide temporary credentials (access key, secret key and token) for AWS Services only and should not be used for application authentication (or session management). But you could store those credentials in your session for AWS API access from your app.
Is there other ways of authorizing against the Azure Service Bus using AMQP than username and password such as tokens from the ACS?
In my scenario I want to be able to give resource level client access to the service bus without exposing my credentials.
Today, in the preview release of AMQP support in Service Bus, the SASL username/password scheme is the only authentication option.
It is still possible to provide resource-level client access with this model though as you're free to create multiple identities within ACS and associate a limited set of claims with those identities. In fact, this is recommended best practice. The alternative of using the default namespace 'owner' identity in a production set up is analogous to giving application components access to the root password.
So, my recommendation would be to create ACS identities for each "role" in your application and then grant only the claims required by that role. For example, if a Web tier component requires the ability to send to a queue, q1, then create an ACS identity for this Web tier role and grant the 'Send' claim to that identity.
Thanks,
Dave.
Service Bus Team, Microsoft.
I have been looking into whether it is possible to use Shibboleth/SAML with Amazon Web Services.
I'm finding very little information on this. As far as I can tell, it is possible to install Shibboleth/SAML on an EC2 server as a Service Provider.
What I am not so sure on is whether it is possible to tie all of AWS to Shibboleth - and how this would work.
My knowledge of all three are vaguely fuzzy - I've been doing a great deal of reading, but I'm not really familiar with this technology at all.
If I understand you correctly, what you are trying to do is use identity federation to grant a user temporary security credentials to perform AWS api calls. You would like your users to authenticate to your own identity provider (Shibboleth in this case), and be granted access to AWS services based on that authentication.
A good example of this that you can use as a framework is in this AWS sample code.
In a nutshell:
You need a proxy that the users connect to, passing in their authentication credentials. You would then verify them by authenticating to Shibboleth, AD, LDAP or whatever.
You need a Token Vending Machine that your proxy would then call to get a valid AWS secret key using GetFederationTokenRequest.
Your client would then use the token given to it to make the AWS api calls.
The concepts of federated identity include terms like STS, SP, and IdP, if you are looking for a starting place to research the topic more.