I have my UI application which uses AWS Cognito for user authentication. We have successfully integrated the SAML identity provider in our Cognito UserPool.
Now i want to support SSO using AD FS.
Below is my URL which i can use to ADFS login.
https://adfs.DOMAIN.com/adfs/ls/IdpInitiatedSignOn.aspx
I have read this AWS Doc to configure for any aws management console.
But what steps i should follow to enable this for Cognito.
Any help?
From the Amazon Developer Forums: "Cognito User Pools do not currently support the IdP-initiated SAML flow."
If you are able to use Open-ID rather than SAML you will be able to overcome this issue. If SAML is a must, you may have to wait until support for the IdP-initiated SAML flow is provided.
Related
I need to add SSO support to our Alibaba account and we use Gsuite as our identity provider, I only see guides for azure directory and OKTA and I can't manage to get Gsuite to work. all I'm getting is:
Error: not_a_saml_app
Provided application is not a SAML app
I'm trying to use Alibaba's CloudSSO service to do this.
I have a React App + Set of lambda's which are using JWT api gateway authorizer (using cognito user pool as IDP)
Additionally I have an Auth0 app + SAML IDP-initiated enterprise connection which direct the logged users in my React App along with SAML assertion.
What will be the best and simplest solution to enable users who are directed to the React app with the SAML to be authorized in the API gateway?
I have came up with this possible solution: create a custom API gateway authorizer which will accept the SAML assertion and will validate it using passport.
Is my solution applicable?
Is there an existing solution (code reference) for such authorizer? (could not find such...)
Are there simpler \ better solutions?
There is an existing mechanism to log into a website. Now, external / remote SAML IDP is being added to facilitate SSO. The website uses other micro-services and components that provide data and functionality to the website.
Is there a way to have an existing mechanism of local identity username password credentials to continue to co-exist as an alternate strategy for authentication alongside remote IDP SSO while keeping rest of the services handling authorization in a semantic way (using a saml token)?
P.S. I looked at the options to implement existing auth mechanism as saml IDP, but building it seems complex even with the likes of shibboleth or openSAML libraries.
P.P.S. I haven't looked at possibility of reimplementing existing auth mechanism with openId connect to co-exist with remote saml idps.
Sure: one can provide a landing page to the user that gives a choice between using a local account or an account at a remote IDP.
We are in process of building a series of apps that will run offline or in very austere environments. We'll also be integrating with other 3rd party apps. Many of these will require logins so we're attempting to use SAML to handle login between them.
I found saml2-js:
https://github.com/Clever/saml2
And it seemed like a great starting point for both the SAML Service Provider and Identity Provider - but diving in I now see it does not implement the Identity Provider at all.
I already have a basic SAML Service Provider setup, but we need an Identity Provider that can run offline. Are there any Node or GoLang Identity Provider libraries we can use to implement this? If not, another recommendation?
Passport is the usual Node option but that's client side only.
There are a number of IDP's you can use e.g.:
Free: simpleSAMLphp / Shibboleth / identityserver4
Cloud: Auth0 / Okta / Azure AD
On-premises: ADFS
Azure AD B2C has the concept of Custom Policies, which in theory can be used to connect a B2C tenant to any IdP using SAML (see https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overview-custom).
Google's GSuite (org-owned) system can apparently be connected to as an IdP using SAML (only SAML) (see https://support.google.com/a/answer/6087519?hl=en).
Has anyone successfully connected these so that end users could use their GSuite accounts to authenticate to enterprise application with Azure AD B2C in the middle?
thanks!
Martin
B2C supports SAML and through custom policies you can connect to other services and return identities although I have only done this with OIDC as the SAML meta data may be an issue.
A good article here on connecting to SalesForce with SAML is here , so you should be able to change SalesForce for G Suite
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-sf-app-custom