Using AWS Cognito as External Identity Provider

If your organization is using AWS Cognito for identity and access management, you can configure the FintechOS Identity Provider to act as an identity broker, allowing users to log in to FintechOS applications and services using their existing AWS Cognito credentials.

1 Create an AWS Cognito App for the FintechOS Identity Provider

Sign in to your AWS Cognito console with your administrator account and create an app for the FintechOS Identity Provider. The Callback URL must match the identity provider alias you will set up for AWS Cognito in the FintechOS Identity Provider and has the following structure:

https://{HPFI base URL}/auth/realms/{realm name}/broker/{alias}/endpoint
E.g.: https://myHpfi.myDomain/auth/realms/FintechOSRealm/broker/awsCognito/endpoint

Make a note of the following AWS Cognito app settings which you will have to provide in the FintechOS Identity Provider for integration:

  • AWS Cognito client ID
  • AWS Cognito client secret
  • AWS Cognito domain
  • Pool ARN - The region and pool ID will be extracted from the pool ARN to determine the discovery endpoint. This is an endpoint that returns the OpenID Connect metadata related to the AWS Cognito authorization server and has the following URL template:
    https://cognito-idp.{region}.amazonaws.com/{poolId}/.well-known/openid-configuration

2 Set up the AWS Cognito server as Identity Provider in the FintechOS Identity Provider

  1. Log in to the FintechOS Identity Provider admin console and select your FintechOS realm.
  2. Open the Identity Providers section.
  3. From the Add provider... drop down, select OpenID Connect v1.0.
  4. Fill in the following configuration settings for the AWS Cognito server.
    SettingValue
    AliasIdentity provider alias you set for the AWS Cognito server (see 1 Create an AWS Cognito App for the FintechOS Identity Provider).
    Display NameUser friendly name for the AWS Cognito server.
    EnabledON
    First Login Flowfirst broker login
    Sync Modeforce
    Authorization URLhttps://{Amazon Cognito domain}/oauth2/authorize
    E.g: https://myDomainPrefix.auth.eu-west-1.amazoncognito.com/oauth2/authorize
    Token URLhttps://{Amazon Cognito domain}/oauth2/token
    E.g: https://myDomainPrefix.auth.eu-west-1.amazoncognito.com/oauth2/token
    User Info URL

    https://{Amazon Cognito domain}/oauth2/userinfo
    E.g: https://myDomainPrefix.auth.eu-west-1.amazoncognito.com/oauth2/userinfo

    Client AuthenticationClient secret sent as post.
    Client IDUse your AWS Cognito client ID.
    Client SecretUse your AWS Cognito client secret.
    Issuer

    https://cognito-idp.{region}.amazonaws.com/{poolId}

    Default ScopesScopes to be sent when asking for authorization. Default: aws.cognito.signin.user.admin email openid phone profile.
    Promptunspecified
    Validate SignaturesON
    Use JWKS URLON
    JWKS URLhttps://cognito-idp.{region}.amazonaws.com/{poolId}/.well-known/jwks.json
  5. Click Save.

3 Map AWS Cognito User Groups to FintechOS Security Roles

When users log in, information about their security roles must be retrieved from the AWS Cognito server. For this purpose, you must set up an automatic mapping between AWS Cognito user groups and FintechOS Identity Provider security roles.

  1. Log in to the FintechOS Identity Provider admin console and select your FintechOS realm.
  2. Open the Identity Providers section.
  3. Select the AWS Cognito server you added earlier (see 2 Set up the AWS Cognito server as Identity Provider in the FintechOS Identity Provider).
  4. Open the Mappers tab.
  5. For each security role, do the following:
    1. Click Create.
    2. In the Add Identity Provider Mapper window, fill in the following fields:
      SettingValue
      NameEnter a descriptive name for the mapper.
      Sync Mode Overrideforce
      Mapper TypeClaim to Role
      Claimcognito:groups
      Claim ValueName of the AWS Cognito group set up on the AWS Cognito server.
      RoleSelect the corresponding FintechOS security role.
    3. Click Save.

4 Disable User Account Editing in Innovation Studio

Users who authenticate in FintechOS Platform via an external identity provider cannot have their user account information edited in Innovation Studio as modifications cannot be propagated back to the external identity provider.

In order to protect the user name, first name, last name, display name, email, and phone number fields, as well as the password reset button in the Innovation Studio interface, a hardcoded ftos-third-party-brokered-auth-provider attribute mapping must be provided by the FintechOS Identity Provider for such user accounts:

  1. Log in to the FintechOS Identity Provider admin console and select your FintechOS realm.
  2. Open the Identity Providers section.
  3. Open your external identity provider and select the Mappers tab.
  4. Click Create to create a new mapper.
  5. Fill in the following fields:
    • Name - Provide a name for your mapper
    • Sync Mode Override - force
    • Mapper Type - Hardcoded attribute
    • User attribute - ftos-third-party-brokered-auth-provider
    • User attribute value - Any non-null value will work, but it is recommended to use a value that is meaningful for your external identity provider, such as AzureAD or Okta.
  6. Click Save.