Amplify-js: Enabling federation to AWS via Cognito User Pool using AD, ADFS, and SMAL2

Created on 3 Oct 2018  路  14Comments  路  Source: aws-amplify/amplify-js

* Which Category is your question related to? *
Authentication

* What AWS Services are you utilizing? *
AWS Cognito

* Provide additional details e.g. code snippets *
We would like to implement the authentication flow to Cognito User pool that connects to our Windows Active Directory. This instruction https://aws.amazon.com/blogs/mobile/building-adfs-federation-for-your-web-app-using-amazon-cognito-user-pools/ describes how to configure and implement the app. Based on the current this Authentication documentation, I couldn't see any detail for federation authentication to ADFS using SMAL2, only social auth is supported/documented.

I would like to know whether we have anyone who has used this module and able to implement that flow with angular/react. If so can I help some guidance?

By the way, to authenticate via Cognito that connect to AD, there is built-in Cognito Web UI login page to handle authentication and parse the response from the SMAL2 response. Is that possible to implement our own form login (username/password), then submit to Cognito (e.g. call signIn()) to authenticate without direction to ADFS sign in page?

Cognito documentation feature-request
Source
picture stormit-vn
👍9

Most helpful comment

SAML support would be pretty nice to have.

picture isgallagher on 16 Oct 2018
👍11

All 14 comments

@stormit-vn

Here is more detailed information for federation authentication to ADFS
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp.html

elorzafe picture elorzafe on 5 Oct 2018

@elorzafe Thank you for you information. Actually, I am able to implement the authentication flow to ADFS federation, but it uses built-in web UI of AWS. What I am looking is how we can implement our own login form without redirecting user to AWS Cognito login page

This also referred in #525 #439

stormit-vn picture stormit-vn on 5 Oct 2018

@stormit-vn From what I remember, the Cognito hosted login page adds a nonce in the RelayState that it expects back from ADFS to prevent replay. Like in my code in the other issue you referenced, you can add &idp_identifier= query parameter to select the ADFS server. It will quickly redirect through the Cognito hosted login page but not require the user to click anything.

danieladams456 picture danieladams456 on 5 Oct 2018

@danieladams456 Yeah, I have used that param and it works in the same way as you mentioned above. But I am still not sure whether we have a way to develop our own form login to ADFS Login page, then redirect with the tokens after handling the SMAL response from ADFS. This isn't a kind of SSO, but if in case if we want to hide the federation between Cognito and ADFS, that is reasonable.

stormit-vn picture stormit-vn on 6 Oct 2018

SAML support would be pretty nice to have.

isgallagher picture isgallagher on 16 Oct 2018
👍11

Yeah, I agree, we should support SMAL provider, for an example provide an interface to open self-hosted UI. As of now, I have to write a function like below

export function hostedUILogin() {
    const {
        domain,
        redirectSignIn,
        scope,
        idpIdentifier,
        responseType } = oauth;

    const clientId = amplifyConfig.Auth.userPoolWebClientId;

    // The url of the Cognito Hosted UI
    let url = `https://${domain}/oauth2/authorize?response_type=${responseType}&client_id=${clientId}&redirect_uri=${redirectSignIn}&scope=${scope.join('+')}`; // tslint:disable-line

    if (idpIdentifier) {
        url += `&idp_identifier=${idpIdentifier}`;
    }

    // Launch hosted UI
    window.location.assign(url);

}
stormit-vn picture stormit-vn on 18 Oct 2018

@stormit-vn are you using Amplify auth to handle the response from the Cognito Hosted UI? I am doing something similar right now, but have had trouble getting Amplify to see that the user is logged in after being redirected back.

schellack picture schellack on 20 Feb 2019

@schellack I had the same issue, only works after a manual refresh, did you figure this one out ?

giovannidegani picture giovannidegani on 3 Apr 2019

@schellack Yeah. I can get the current logged user and the tokens. However, I noted that I have to implement a callback URL that redirect back to our root route (it likes a force refresh per @giovannidegani comment above)

export class OAuthCallbackPage implements OnInit {
    ngOnInit() {
        window.location.href = '/';
    }
}
hoang-innomizetech picture hoang-innomizetech on 8 Apr 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] picture stale[bot] on 15 Jun 2019

anything new about SAML / ADFS integration ?
can someone share a working example please

LiorSaadon picture LiorSaadon on 16 Jun 2019

Im going to mark this as an enhancement/feature-request so we can add more documentation and examples regarding this.

sammartinez picture sammartinez on 21 Jun 2019
👍2

anything new about SAML / ADFS integration ?
can someone share a working example please

Did you find it? Can you share it if you manage to do?

anjanbhattrai picture anjanbhattrai on 23 Sep 2019
👍2

Auth.federatedSignIn is a solution of the login with saml via hostedUI.

nbtd picture nbtd on 26 Dec 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jmandivarapu1 picture jmandivarapu1  路  49Comments
CodySwannGT picture CodySwannGT  路  69Comments
mayteio picture mayteio  路  91Comments
baharev picture baharev  路  132Comments
danielgeri picture danielgeri  路  78Comments