Authentication with AWS Cognito

Starting with release 22.1, the FintechOS Platform uses the FintechOS Identity Provider as the default authentication layer for the FintechOS applications and services. You can configure the FintechOS Identity Provider to act as an identity broker, allowing users to log in to FintechOS applications and services using their existing AWS Cognito credentials. For more information, see Using AWS Cognito as External Identity Provider.
This authentication method is provided only for backward compatibility.

This service provided by Amazon Web Services manages the user sign-in information for members of a platform. If your organization is using AWS Cognito for identity and access management of your users, it is possible to map the users already existing in AWS Cognito to FintechOS Security Roles. Through Azure AWS OpenId provider, users to log in to FintechOS using their existing AWS Cognito credentials.

Add keys to Vault secrets

Set AWS Cognito authentication:

Key Path Key Name Key Value
kv/<environment>/<application>/app-settings EBSDefaultAuthentication AWSCognito


AWS Cognito configuration:

Key Path Key Name Key Value
kv/<environment>/<application>/app-settings openid-client-id AWS Cognito client id xxxxx
kv/<environment>/<application>/app-settings openid-client-secret AWS Cognito client secret yyyyyy
kv/<environment>/<application>/app-settings openid-callback-url http://${portalRoot}/Account/LogonCallback
kv/<environment>/<application>/app-settings openid-discovery-endpoint


User mapping settings:

Key Path Key Name Key Value
kv/<environment>/<application>/app-settings openid-auto-user-roles Guest,Developer,Registered Users
kv/<environment>/<application>/app-settings openid-auto-user- organization ebs
kv/<environment>/<application>/app-settings openid-auto-user-businessunit root
kv/<environment>/<application>/app-settings openid-auto-user-type Back Office
kv/<environment>/<application>/app-settings openid-auto-user-remote-roles-add 0|1
kv/<environment>/<application>/app-settings openid-auto-user-remote-roles-sync 0|1


Configuration Keys:

Key Value
openid-auto-user-roles Platform role names, separated by colon. These roles will be added automatically when the AWS Cognito user is mapped to a platfrom user
openid-auto-user-organization Platform organization name. The mapped user will be added in this organization
openid-auto-user-businessunit Platform business unit name. The mapped user will be added in this business unit
openid-auto-user-remote-roles-add not supported yet
openid-auto-user-remote-roles-sync not supported yet



Parameter Value
${portalRoot} root url for FintechOS portal



Group mapping for users

For each user in FintechOS, default roles can be created in the web.config file for this user, organization, business unit and user type.

  1. An XML file named OpenIdUserConfiguration.xml must be placed in the root of the web application of FintechOS.
    Any changes to OpenIdUserConfiguration.xml require a manual Application Domain restart.
  2. The ADFS token for an user authentication will include a group claim with the names of the Groups where the user is member from AD.