Authentication with AWS Cognito
This service provided by Amazon Web Services manages the user sign-in information for members of a platform. If your organization is using AWS Cognito for identity and access management of your users, it is possible to map the users already existing in AWS Cognito to FintechOS Security Roles. Through Azure AWS OpenId provider, users to log in to FintechOS using their existing AWS Cognito credentials.
Add keys to the web.config file
In the web.config file of your environment add the following keys.
Copy
<add key="EBSDefaultAuthentication" value="AWSCognito" />
<!-- BEGIN AWS COGNITO IDOPEN ID CONFIGURATION -->
<add key="openid-client-id" value="AWS Cognito client id xxxxx" />
<add key="openid-client-secret" value="AWS Cognito client secret yyyyyy" />
<add key="openid-callback-url" value="http://${portalRoot}/Account/LogonCallback" />
<add key="openid-discovery-endpoint" value="https://cognito-idp.xxx/.well-known/openid-configuration" />
<!-- USER MAPPING SETTINGS -->
<add key="openid-auto-user-roles" value="Guest,Developer,Registered Users" />
<add key="openid-auto-user-organization" value="ebs" />
<add key="openid-auto-user-businessunit" value="root" />
<add key="openid-auto-user-type" value="Back Office" />
<add key="openid-auto-user-remote-roles-add" value="0"/>
<add key="openid-auto-user-remote-roles-sync" value="0"/>
<!-- END AWS COGNITO ID CONFIGURATION -->
Configuration Keys:
| Key | Value |
|---|---|
| openid-auto-user-roles | Platform role names, separated by colon. These roles will be added automatically when the AWS Cognito user is mapped to a platfrom user |
| openid-auto-user-organization | Platform organization name. The mapped user will be added in this organization |
| openid-auto-user-businessunit | Platform business unit name. The mapped user will be added in this business unit |
| openid-auto-user-remote-roles-add | not supported yet |
| openid-auto-user-remote-roles-sync | not supported yet |
Parameters:
| Parameter | Value |
|---|---|
| ${portalRoot} | root url for FintechOS portal |
Group mapping for users
For each user in FintechOS, default roles can be created in the web.config file for this user, organization, business unit and user type.
- An XML file named OpenIdUserConfiguration.xml must be placed in the root of the web application of FintechOS. IMPORTANT!
Any changes to OpenIdUserConfiguration.xml require a manual Application Domain restart. - The ADFS token for an user authentication will include a group claim with the names of the Groups where the user is member from AD.
Example:
Copy
<root>
<SecurityGroup>
<Name>GROUP1</Name>
<DefaultBusinessUnitName>root</DefaultBusinessUnitName>
<SecurityRoleName>Registered Users,Developers</SecurityRoleName>
</SecurityGroup>
...
<SecurityGroup>
<Name>GROUP2</Name>
<DefaultBusinessUnitName>root</DefaultBusinessUnitName>
<SecurityRoleName>GROUP2</SecurityRoleName>
</SecurityGroup>
</root>