我们目前正在使用AWS上的完整无服务器堆栈来构建Web应用程序。到目前为止,我们已经成功使用了AWS Lambda,AWS DynamoDB和Cognito用户池。此应用程序旨在作为企业应用程序,我的一位客户希望能够使用其当前Active Directory凭据登录所有用户。我过去曾在其他应用程序上使用过AD FS,但事实证明,要使其正常运行,确实有点困难。
We are currently building a web app using a full serverless stack on AWS. So far we have been very successful using AWS Lambda, AWS DynamoDB and Cognito User Pools. This application is intended to be an enterprise application and one of my clients wants to be able to log all users in using their current Active Directory credentials. I have used AD FS in the past on other applications but it has always turned out to be a bit of a hack to get it working.
现在,我想发送有关如何配置其AD FS依赖方信任以针对我的应用进行身份验证的客户说明。
Now, I want to send the customer instructions on how to configure their AD FS relying party trust to authenticate against my application.
我已阅读到做到这一点的最佳方法是创建Cognito身份链接到Cognito用户池的提供程序。在用户池中,您应该创建一个SAML提供程序,并从AD FS服务器上载metadata.xml。
I have read that the best way to do this is to create a Cognito Identity Provider that links to a Cognito User Pool. In the User Pool you should create a SAML provider and upload the metadata.xml from the AD FS server.
我已经使用AD FS设置了实验室服务器,我可以得到那个工作。现在,我不确定在依赖方信任设置或Cognito设置方面我做错了什么。我已经有很长时间了,并且阅读了几乎所有我能找到的博客文章。如果有人可以帮助我或指出正确的方向,将不胜感激。
I have set up a lab server with AD FS and I can get that working. Now I am not sure what I am doing wrong in terms of the Relying Party Trust setup or the Cognito setup. I have been at this for ages and read just about every blog article I can find. If anyone can help me out or point me in the right direction that would be greatly appreciated.
推荐答案经过无奈之后,我可以现在回答这个问题,所以我决定为这些挣扎的初学者提供一个简单的分步答案。
After much frustration, I can now answer this question so I decided to put together an easy step-by-step answer for beginners with these struggles.
我只是进入身份验证设置,而不是授权。授权需要IAM角色和其他特定于体系结构的逻辑。我很乐意在其他地方讨论。
I am only going into the authentication setup and not the authorisation. Authorisation requires IAM roles and some other logic that is architecture specific. I'm happy to discuss that elsewhere.
这种设置有两个组成部分:
There are 2 components to this kind of a setup:
创建Cognito用户池域
在Cognito用户池中的常规设置下,选择应用程序客户端,如果没有则添加一个(以后将需要ID)。
Creating the Cognito User Pool domain
In the Cognito User Pool under General Settings, select App clients and add one if there are none (you will need the ID later).
然后转到下的域名 >应用集成,然后选择一个有效的域前缀并保存。
Then go to Domain Name under App Integration and choose a valid domain prefix and save it.
您将需要让公司建立依赖方信任。所需步骤如下:
You will need to get the company to setup a relying party trust. The steps required are as follows:
现在您需要向依赖方信任添加声明。
Now you need to add claims to the relying party trust.
AWS Cognito用户池
因此,作为应用程序开发人员,您需要设置Cognito用户池。通过向导并选择您喜欢的设置。无论如何,联合身份不一定与用户池本身具有相同的规则。
Federated Identities in AWS Cognito User pool
So as the application developer, you need to setup the Cognito User pool. Go through the wizard and choose your prefered settings. The federated identities don't necessarily play by the same rules as the user pool itself anyway.
设置联合身份的步骤为:
The steps to setup the federated identity are:
联合身份的属性映射
Attribute Mapping for Federated Identity
设置App客户端
测试之前的最后一步是设置您先前创建的应用程序客户端。
Setting up the App Client
The last step before testing is to setup the app client that you created earlier.
测试
要进行测试,您可以尝试一些不同的URL,其形式为:-
Testing
To test, you can try a few different URLs in the form of: -
- https://< domain_prefix> .auth。< region> ; .amazoncognito / authorize?idp_identifier =< idp_identifier>& response_type = token& client_id =< app_client_id>& redirect_uri =< app_client_callback_URL> 直接转到授权端点
- https://< domain_prefix> .auth。< region> .amazoncognito / login?response_type = token& client_id =< app_client_id>& redirect_uri =< app_client_callback_URL> 转到AWS托管的登录UI
- <domain_prefix>.auth.<region>.amazoncognito/authorize?idp_identifier=<idp_identifier>&response_type=token&client_id=<app_client_id>&redirect_uri=<app_client_callback_URL> to go directly to the authorize endpoint
- <domain_prefix>.auth.<region>.amazoncognito/login?response_type=token&client_id=<app_client_id>&redirect_uri=<app_client_callback_URL> to go to the AWS hosted login UI
idp_identifier 是在cre时定义的可选字段确定联合身份。网址中也不是必需的。
The idp_identifier is the optional field defined when creating the federated identity. This is not required in the URL either.
此一页Web应用程序是一个很好的工具,可用于测试事情是否正常并且您是否获得了期望的响应。
This one page webapp is a good tool to use to test that things are working and you are getting the desired response.
我希望这对其他人有帮助。
I hope this helps other people.
更多推荐
使用AWS Cognito和AD FS作为Web应用程序的身份验证
发布评论