SSO configuration using AWS Cognito

Here I will share how to set up SSO (Single-Sign-On) using AWS Cognito with a user pool. AWS Cognito is a fully managed service that provides a secure user directory. It also supports social Federation identity like Google, Facebook, etc. So basically if you need a custom login with SSO functionality, AWS Cognito is best to solve your purpose. 

 

Our Goal to create a User Pool in Cognito as well as an Angular web application, leverage the Cognito based user login page to authorize user and provide bearer token to validate the user. 

Let's Begin - 

AWS Cognito - User pool & Federation setup:

Step 1: Log in to the AWS console and search Cognito and click it.

manage user pool

 

Step 2: Select Manage User Pool and then create User Pool

manage user pool

create user pool

 

Step 3: Create a user pool ('openamuserpool') and click review details 

create user pool SSO integration

 

Step 4: Choose the User name attribute and select the Email address or Phone number

create user pool

create user pool

 

Step 5: A set application domain name

create user pool

 

Step 6: Click on create the pool and save your Client Id and Secret. 

Step 7: Set your redirection URL and logout URL. Now you are good to integrate the page in your application. 

 

The angular application set up:

Create one angular application with two-component let's say. One Home Component and another Dashboard component. The home component will call the login page, validate the user, and redirect to the dashboard page. The dashboard page will have a logout button, by clicking on it, the application will redirect to the home page.

To handle the URL redirection, you need to create one resolver to extract the token from the call back URL and responsible to call the auth 2 token API to get access_toekn, refresh_token. Like the following code will be responsible to provide you the code from the redirect URL. 

const urlParams: URLSearchParams = new URLSearchParams(window.location.search);

const code: string = urlParams.get('code');

 

Please Note: The redirect URL code can be used only once to get access_token, refresh_token.

To fetch the token from Cognito - the following API needs to be called - 

API - https://<domain name>.auth.us-east-1.amazoncognito.com/oauth2/token

Get API call syntax - 

create user pool url extract

 

 

You can check the sample code on GitHub. 

Next blog I will demonstrate how we can integrate SSO using OpenAM ForgeRock as an IDP with SMAL assertion.

Happy Coding!

- Lazy Panda