I am new to Amazon Web Services.
All tables are stored in DynamoDB. My query is how to manage and authenticate user ?
For Example.
Suppose assume I have username called mike and password is testmike. When I press login button using cognito (SAML) they autenticate user and if user return success message then fetch all table data from that user pool. How can we achieve this? I already read amazon developer guide I am confused How to implement in my code.
Or without SAML is this possible ?
Can anybody provide sample code here ?
Your help is really appreciated .
If you have your own user directory which supports SAML IdP then you can use SAML federation and access your DynamoDB table with Cognito identity credentials.
If you want to create user signup and signin functionality and let Cognito manage your users, you can use Cognito user pools. User data is not stored automatically in DynamoDB. If you want to store some additional data related to user, you can federate Cognito user with Cognito identity and use these credentials to write to Cognito sync or DyanamoDB.
Related
How do I use Azure B2C with Entity Framework, or any other back-end system?
The documentation for Azure B2C does not seem to discuss integration with back-end systems, and I'm at a loss as to how this is achieved.
I do not need the user to authenticate against the database, but I want to store user-specific data in the database. This could entail the use of a Users table, for example.
The design of the DB is up to you.
The normal way is to add the DB primary key of the user as an extension attribute for the user in B2C.
When the user logs in, get the extension attribute and pass it to an API that handles all the DB activity.
See MS documentation Use API connectors to customize and extend sign-up user flows and custom policies with external identity data sources
you can verify that the email address provided by the user exists in
your customer's database, and if not, present an error.
Your RESTful service can receive the user's email address, query the
customer's database, and return the user's loyalty number to Azure AD
B2C
You can use an example
A B2C IEF Custom Policy which authenticates to AAD and calls a REST API for more claims
I also need to add the created/updated user into a users-table of an RDS-database, and the described workflow does not describe such a scenario at all.
Is it possible to react to the create/update of a cognito user within this SAML-workflow, by also updating an applications database-table with the new data?
--
In the docs of AWS Cognito in the Chapter "SAML user pool IdP authentication flow" there is following part written:
6. After verifying the SAML assertion and collecting the user attributes (claims) from the assertion,
Amazon Cognito internally creates or updates the user's profile in the user pool.
Amazon Cognito returns OIDC tokens to the app for the now signed-in user.
see: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp-authentication.html
this part does not seem to recognize the scenario i described in my question, and there is no link/hint to such a solution given.
In order to perform additional actions to customize the Cognito user pool workflow, you can use Lambda triggers.
In your particular situation, there are triggers and triggerSource values you should look for regarding Sign Up and Sign In for federated users, as per documentation, namely:
For SignUp:
PreSignUp_ExternalProvider this is called before the user is created in Cognito, allowing to perform some additional actions, normally validations.
PostConfirmation_ConfirmSignUp is invoked after the user has been created and confirmed in Cognito. This would be where you'd create it at the RDS Database.
For SignIn:
PreAuthentication_Authentication similarly to PreSignUp, useful for additional validations, but for Sign In.
PostAuthentication_Authentication called after a successful authentication. This is where you would update the User at your Database.
Also keep in mind that the Updated date of the user will change at each new sign-in due to this (source) :
Amazon Cognito must be able to update your mapped user pool attributes when users sign in to your application. When a user signs in through an IdP, Amazon Cognito updates the mapped attributes with the latest information from the IdP. Amazon Cognito updates each mapped attribute, even if its current value already matches the latest information.
I have a working KeyCloak installation, and a Laravel backend that uses this to authenticate Users.
The KeyCloack server is already configured with some external ("social") identity providers.
Now I want to create, from PHP backend, new "social" Users on KeyCloak via REST API before they attempt to login the first time.
My goal is to create new Users on backend database with their all profile data, in order to have all the user set-up already done once the user will first login on my app.
Is there a way to do this?
Have I to create the user firsty on KeyCloak and then link it to a social provider in some way?
Or something other?
Thanks
There are essentially two steps required:
You have to create a login-flow, that maps the SAML-User to the local user.
This must contain the "Detect Existing Broker User" and the "Automatically Set Existing User" Execution as Required.
Your Identity Providermust use this as login flow.
Then you have to configure your SAML Identity-Provider to identify the SANL-Atrribute to match the user. Feal free to ask if you need further help for this.
We want to integrate Keycloak 18 in our platform to replace a self-implemented solution in the future. The first step was to implement an own user provider to keep our existing tables where users, roles and permissions are stored. This was pretty easy. So the old and new way can co-exist for a step-by-step replacement.
Now we also want to provide integrations for other user providers, like LDAP, Kerberos etc.
Is there a way to load the roles from our external db table after a user was authenticated by a random user provider?
e.g.:
User sends auth request to keycloak
User has been successfully authenticated by the ldap user provider
lookup external db to get the roles for the username and add them to the user model
thank you for your help
I am building a SPA with a spring on the backend. I am working on signing in with Google, most of it is working already: got the id_token with the implicit flow in the frontend and I sent it and verified it on the backend.
I want to have users with roles and manage that locally (so, no adding info in the oidc provider). What are the options to go from the id_token to having an authenticated user in spring? I did not find any example doing that link manually (id_token-spring_sec_user).
I have checked several sources like the Spring Security 5 presentation at SpringOne https://www.youtube.com/watch?v=WhrOCurxFWU, several SO questions and posts on okta's and auth0's blogs but I am still missing the link.
You will have to create your own (application) specific roles.
Use these steps :
Get authenticated from Google
Access the profile section from google (username, name etc )
Use your own user table to store this info
Create admin APIs in your own system and assign your app-specific roles to the user.
When you login again you will authenticate against google login/password and roles specific to your application .
Create an account or session with the id_token
Check if the user is already in your user database. If so, establish an authenticated session for the user. If the user isn't yet in your user database, create a new user record with default role from the information in the ID token payload, and establish a session for the user. You can prompt the user for any additional profile information you require when you detect a newly created user in your app.