Using AWS Cognito as External Identity Provider
If your organization is using AWS Cognito for identity and access management, you can configure the FintechOS Identity Provider to act as an identity broker, allowing users to log in to FintechOS applications and services using their existing AWS Cognito credentials.
1 Create an AWS Cognito App for the FintechOS Identity Provider
Sign in to your AWS Cognito console with your administrator account and create an app for the FintechOS Identity Provider. The Callback URL must match the identity provider alias you will set up for AWS Cognito in the FintechOS Identity Provider and has the following structure:
https://{HPFI base URL}/auth/realms/{realm name}/broker/{alias}/endpoint
E.g.: https://myHpfi.myDomain/auth/realms/FintechOSRealm/broker/awsCognito/endpoint
Make a note of the following AWS Cognito app settings which you will have to provide in the FintechOS Identity Provider for integration:
- AWS Cognito client ID
- AWS Cognito client secret
- AWS Cognito domain
- Pool ARN - The region and pool ID will be extracted from the pool ARN to determine the discovery endpoint. This is an endpoint that returns the OpenID Connect metadata related to the AWS Cognito authorization server and has the following URL template:
https://cognito-idp.{region}.amazonaws.com/{poolId}/.well-known/openid-configuration
2 Set up the AWS Cognito server as Identity Provider in the FintechOS Identity Provider
- Log in to the FintechOS Identity Provider admin console and select your FintechOS realm.
- Open the Identity Providers section.
- From the Add provider... drop down, select OpenID Connect v1.0.
- Fill in the following configuration settings for the AWS Cognito server.
Setting Value Alias Identity provider alias you set for the AWS Cognito server (see 1 Create an AWS Cognito App for the FintechOS Identity Provider). Display Name User friendly name for the AWS Cognito server. Enabled ON First Login Flow first broker login Sync Mode force Authorization URL https://{Amazon Cognito domain}/oauth2/authorize
E.g:https://myDomainPrefix.auth.eu-west-1.amazoncognito.com/oauth2/authorize
Token URL https://{Amazon Cognito domain}/oauth2/token
E.g:https://myDomainPrefix.auth.eu-west-1.amazoncognito.com/oauth2/token
User Info URL https://{Amazon Cognito domain}/oauth2/userinfo
E.g:https://myDomainPrefix.auth.eu-west-1.amazoncognito.com/oauth2/userinfo
Client Authentication Client secret sent as post. Client ID Use your AWS Cognito client ID. Client Secret Use your AWS Cognito client secret. Issuer https://cognito-idp.{region}.amazonaws.com/{poolId}
Default Scopes Scopes to be sent when asking for authorization. Default: aws.cognito.signin.user.admin email openid phone profile. Prompt unspecified Validate Signatures ON Use JWKS URL ON JWKS URL https://cognito-idp.{region}.amazonaws.com/{poolId}/.well-known/jwks.json
- Click Save.
3 Map AWS Cognito User Groups to FintechOS Security Roles
When users log in, information about their security roles must be retrieved from the AWS Cognito server. For this purpose, you must set up an automatic mapping between AWS Cognito user groups and FintechOS Identity Provider security roles.
- Log in to the FintechOS Identity Provider admin console and select your FintechOS realm.
- Open the Identity Providers section.
- Select the AWS Cognito server you added earlier (see 2 Set up the AWS Cognito server as Identity Provider in the FintechOS Identity Provider).
- Open the Mappers tab.
- For each security role, do the following:
- Click Create.
- In the Add Identity Provider Mapper window, fill in the following fields:
Setting Value Name Enter a descriptive name for the mapper. Sync Mode Override force Mapper Type Claim to Role Claim cognito:groups Claim Value Name of the AWS Cognito group set up on the AWS Cognito server. Role Select the corresponding FintechOS security role. - Click Save.
4 Disable User Account Editing in Innovation Studio
Users who authenticate in FintechOS Platform via an external identity provider cannot have their user account information edited in FintechOS Studio as modifications cannot be propagated back to the external identity provider.
In order to protect the user name, first name, last name, display name, email, and phone number fields, as well as the password reset button in the FintechOS Studio interface, a hardcoded ftos-third-party-brokered-auth-provider attribute mapping must be provided by the FintechOS Identity Provider for such user accounts:
- Log in to the FintechOS Identity Provider admin console and select your FintechOS realm.
- Open the Identity Providers section.
- Open your external identity provider and select the Mappers tab.
- Click Create to create a new mapper.
- Fill in the following fields:
- Name - Provide a name for your mapper
- Sync Mode Override - force
- Mapper Type - Hardcoded attribute
- User attribute - ftos-third-party-brokered-auth-provider
- User attribute value - Any non-null value will work, but it is recommended to use a value that is meaningful for your external identity provider, such as AzureAD or Okta.
- Click Save.