Authentication with AWS Cognito
IMPORTANT!
Starting with release 22.1, the FintechOS Platform uses the FintechOS Identity Provider as the default authentication layer for the FintechOS applications and services. You can configure the FintechOS Identity Provider to act as an identity broker, allowing users to log in to FintechOS applications and services using their existing AWS Cognito credentials. For more information, see Using AWS Cognito as External Identity Provider.
This authentication method is provided only for backward compatibility.
Starting with release 22.1, the FintechOS Platform uses the FintechOS Identity Provider as the default authentication layer for the FintechOS applications and services. You can configure the FintechOS Identity Provider to act as an identity broker, allowing users to log in to FintechOS applications and services using their existing AWS Cognito credentials. For more information, see Using AWS Cognito as External Identity Provider.
This authentication method is provided only for backward compatibility.
This service provided by Amazon Web Services manages the user sign-in information for members of a platform. If your organization is using AWS Cognito for identity and access management of your users, it is possible to map the users already existing in AWS Cognito to FintechOS Security Roles. Through Azure AWS OpenId provider, users to log in to FintechOS using their existing AWS Cognito credentials.
Add keys to Vault secrets
Set AWS Cognito authentication:
| Key Path | Key Name | Key Value |
|---|---|---|
| kv/<environment>/<application>/app-settings | EBSDefaultAuthentication | AWSCognito |
AWS Cognito configuration:
| Key Path | Key Name | Key Value |
|---|---|---|
| kv/<environment>/<application>/app-settings | openid-client-id | AWS Cognito client id xxxxx |
| kv/<environment>/<application>/app-settings | openid-client-secret | AWS Cognito client secret yyyyyy |
| kv/<environment>/<application>/app-settings | openid-callback-url | http://${portalRoot}/Account/LogonCallback |
| kv/<environment>/<application>/app-settings | openid-discovery-endpoint | https://cognito-idp.xxx/.well-known/openid-configuration |
User mapping settings:
| Key Path | Key Name | Key Value |
|---|---|---|
| kv/<environment>/<application>/app-settings | openid-auto-user-roles | Guest,Developer,Registered Users |
| kv/<environment>/<application>/app-settings | openid-auto-user- organization | ebs |
| kv/<environment>/<application>/app-settings | openid-auto-user-businessunit | root |
| kv/<environment>/<application>/app-settings | openid-auto-user-type | Back Office |
| kv/<environment>/<application>/app-settings | openid-auto-user-remote-roles-add | 0|1 |
| kv/<environment>/<application>/app-settings | openid-auto-user-remote-roles-sync | 0|1 |
Configuration Keys:
| Key | Value |
|---|---|
| openid-auto-user-roles | Platform role names, separated by colon. These roles will be added automatically when the AWS Cognito user is mapped to a platfrom user |
| openid-auto-user-organization | Platform organization name. The mapped user will be added in this organization |
| openid-auto-user-businessunit | Platform business unit name. The mapped user will be added in this business unit |
| openid-auto-user-remote-roles-add | not supported yet |
| openid-auto-user-remote-roles-sync | not supported yet |
Parameters:
| Parameter | Value |
|---|---|
| ${portalRoot} | root url for FintechOS portal |
(Deprecated) Add keys to the web.config file
In the web.config file of your environment add the following keys.
Copy
<add key="EBSDefaultAuthentication" value="AWSCognito" />
<!-- BEGIN AWS COGNITO IDOPEN ID CONFIGURATION -->
<add key="openid-client-id" value="AWS Cognito client id xxxxx" />
<add key="openid-client-secret" value="AWS Cognito client secret yyyyyy" />
<add key="openid-callback-url" value="http://${portalRoot}/Account/LogonCallback" />
<add key="openid-discovery-endpoint" value="https://cognito-idp.xxx/.well-known/openid-configuration" />
<!-- USER MAPPING SETTINGS -->
<add key="openid-auto-user-roles" value="Guest,Developer,Registered Users" />
<add key="openid-auto-user-organization" value="ebs" />
<add key="openid-auto-user-businessunit" value="root" />
<add key="openid-auto-user-type" value="Back Office" />
<add key="openid-auto-user-remote-roles-add" value="0"/>
<add key="openid-auto-user-remote-roles-sync" value="0"/>
<!-- END AWS COGNITO ID CONFIGURATION -->
Group mapping for users
For each user in FintechOS, default roles can be created in the web.config file for this user, organization, business unit and user type.
- An XML file named OpenIdUserConfiguration.xml must be placed in the root of the web application of FintechOS. IMPORTANT!
Any changes to OpenIdUserConfiguration.xml require a manual Application Domain restart. - The ADFS token for an user authentication will include a group claim with the names of the Groups where the user is member from AD.
Example:
Copy
<root>
<SecurityGroup>
<Name>GROUP1</Name>
<DefaultBusinessUnitName>root</DefaultBusinessUnitName>
<SecurityRoleName>Registered Users,Developers</SecurityRoleName>
</SecurityGroup>
...
<SecurityGroup>
<Name>GROUP2</Name>
<DefaultBusinessUnitName>root</DefaultBusinessUnitName>
<SecurityRoleName>GROUP2</SecurityRoleName>
</SecurityGroup>
</root>