SSO configuration using AWS Cognito ForgeRock - OpenAM with SAML Assertion

In this article, I will demonstrate how to configuration SSO (single-sign-on) using AWS Cognito ForgeRock - OpenAM with SAML Assertion.

 

AWS Cognito already provides sign in functionality using social identity provider like Google, Facebook and it's own identity ofcourse. But the organization which are using ForgeRock OpenAM for the enterprise identity and access management, should want every on-premise or cloud application should leverage the Open AM identity & access control to securely access the various cloud service. 

Architecture Diagram:

arch diagram of cognito - openAM connectivity
 
 
 
  1. User open browser or mobile app and initiate login process, mobile or browser makes an OIDC Auth grant flow with openid + profile scope to Cognito
  2. Cognito post-pre-define SMAL Auth request to Forgerock OpenAM
  3. Open AM will redirect the user to the login page
  4. The user provides the credential
  5. If credentials are valid (check-in OpenAM side), OpenAM will pass the SAML assertion to the Cognito user pool
  6. Cognito will create/update the user profile in cognito user pool
  7. Cognito will provide the authorization code or token to the web / mobile application.

Please Note: The token with redirect URL can be accessed only once to get access_token, refresh_toekn from Cognito. On the second call onwards with the same token will reply to a bad request.


Pre-requisite components are required before you start:

  • AWS Account - free tire will work. 
  • AWS Cognito with user pool setup. 
  • Apache-Tomcat (Version I have used - 7.0.94)
  • OpenAM 13.0.0.0 downloaded from ForgeRock site.
  • SAML Federation between AWS Cognito and OpenAM
  • An angular application where ForgeRock login page will show.

 


STEP 1: AWS Cognito setup with user pool.

- Please Check my previous Blog SSO Configuration using AWS Cognito for the initial Cognito set up. But there are a few more step we need to perform which we will do after setting up OpenAM. 


STEP 2: ForgeRock OpenAM and SAML IDP setup local system

- I hope you have already download Tomcat & OpenAM from mentioned site and keep those in some directory. 

  • Open terminal and change the 127.0.0.1 to some user defined name like below -

sudo nano /etc/hosts

*** add the line in hosts file and save it ***

127.0.0.1       localhost openam.example.com

 

 

  • Extract the OpenAM-13.0.0.zip file and rename the OpenAM-13.0.0.war to openam.war and placed it in tomcat/webapps directory. You can check the guide to configure the OpenAM as well.
    • Make sure your Tomcat is running and check the browser by typing http://openam.example.com:8080

  • Run the http://openam.example.com:8080/openam as well to check if you are able to get the ForgeRock Home page or not.

  • Select Create Default Configuration and provide different passwords like the below screenshot.

  • Once the configuration is done, log in to the Forgrock home page. with user name 'amadmin' and the password which has been given during setup.
  • Create a new Realm called - AWS > choose 1st option Create SAMLv2 Providers > Choose 1st option Create Hosted Identity Provider. after that you will get a screen like below -

 ​​​​​​​​​​​​​​

 

  • you need to set the following parameters inthe form like below - 
    • Signin key: test
    • New Circle of Trust: AWS
    • Attribute mapping as follows - 
      • mail = mail
      • cn = cn
      • sn = sn
      • givenname = givenname
  • After saving configuration please run the following command from your terminal - 

curl --output idpmetadata.xml "http://openam.example.com:8080/openam/saml2/jsp/exportmetadata.jsp?entityid=http://openam.example.com:8080/openam&realm=/AWS"

It will save idpmetadata to your local directory.

  • Create a few new users in the following path - Login > AWS > Subjects > New and create a new user there and add email address too by editing the same user.

 


Going back to AWS Cognito side for remaining configuration: (STEP 1: Continue...)

Login to AWS console and navigate to Cognito > Federation > Identity Provider > SAML. Here first upload the idmmetada.xml file (which was downloaded earlier), provider name would be openam, and identifier is openam.example.com and then create the provider.

  • Then set attribute mapping like below - 

  • Now go to App Integration > App Client Settings.

  • Do the save changes.

 


STEP 3: Setup Cognito Service Provider to OpenAM

- Prepare the SP metadata XML file for Cognito. Login to OpenAM again and navigate to Realms > AWS > Create SAMLv2 Providers > Register Remote Service Provider. 

Choose File and create one spaws.xml file with following template - 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<EntityDescriptor entityID="urn:amazon:cognito:sp:<pool_id>" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>

<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>

<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>

<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>

<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat>

<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>

<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>

<AssertionConsumerService index="0" isDefault="false" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<domain-name>.auth.us-east-1.amazoncognito.com/saml2/idpresponse"/>

</SPSSODescriptor>

</EntityDescriptor>

 

 

upload it, set a new circle of Trust as AWS, and click configure.

Now you are almost done for set up, lets integrate the endpoints in Angular application side, the experience will be like below - please check out the video.

This blog is pretty big and many steps are involved to do the setup. I spend 2 - 3 days to complete this blog outside of my work. If you have any query or suggestion please drop a message below.

Good Luck! 

- Lazy Panda Tech