Amazon Cognito provides lightweight data storage and authentication services, allowing application developers to maintain user state, such as preferences or game state, in the cloud in a centralized and easy to manage way. With Amazon Cognito, developers can synchronize data across devices, allowing for application experiences that follow the user as they move from phone to tablet to PC. Late in 2014, Amazon added OpenID Connect support to Amazon Cognito, allowing a large number of identity providers to integrate with the service.
We are pleased to announce that the recent release of SecureAuth IdP 8.1 includes an OpenID Connect provider that enables integration with Amazon Cognito. In addition to Amazon Cognito, with SecureAuth IdP’s OpenID Connect support, you can obtain temporary AWS security credentials, allowing your application access to the wide array of Amazon web services.
How SecureAuth IdP Integrates with Amazon Cognito and Beyond
Obtaining Amazon AWS Credentials Through Amazon Cognito
1. The user accesses the web or mobile application and logs in.
2. The application redirects the user to SecureAuth IdP for authentication
3. The application exchanges the SecureAuth IdP issued token for an Amazon Cognito token
4. The application exchanges the Amazon Cognito token for temporary AWS security credentials
5. The application uses the credentials to access other AWS services, such as DynamoDB
Centralized, Interoperable and Standards Friendly: Acting as an identity provider, SecureAuth IdP expands the ability of customers and partners to present their identity to Amazon beyond OpenID Connect, supporting a variety of standards, including SAML, OAuth, and many more. If you have a user data store based on Active Directory, SecureAuth IdP can bridge and federate those identities to Amazon. SecureAuth supports all major enterprise directories, in addition to raw SQL if you have developed your own.
Configurable Authentication Workflows: Recognizing that not all users and not all web services are created equal, SecureAuth IdP has a realm based design that allows you to create custom authentication workflows based on your specific business needs. For example, you can design one realm that uses device fingerprinting and adaptive authentication for a very frictionless experience. For your more critical services, you can employ over 20 two-factor authentication methods enabling SecureAuth IdP to be highly configurable so you don’t force rigid and cumbersome authentication workflows on your employees or customers.
Strong and Adaptive Authentication: SecureAuth IdP can bring adaptive authentication technology to your services, allowing for real-time protection from and detection of advanced threats. SecureAuth IdP’s adaptive authentication engine calculates risk in real time, based on a number of inputs. Depending on the risk score and your tolerance, you can decide whether to “step-up” or deny the authentication. The inputs to the risk engine include:
- IP Reputation
- Data Device Fingerprinting
- Geo-location and Geo-velocity
- Group Membership
Authentication API: SecureAuth IdP 8.1 includes a RESTful authentication API, allowing developers to embed the functionality of IdP into their own application experiences. The authentication API supports core two-factor authentication methods and allows developers to evaluate IP address risk via threat intelligence provided by the Norse DarkViking platform.
SecureAuth IdP can centralize your authentication processes by working with many existing identity providers and data stores, including Active Directory. IdP can also bring proven strong and adaptive authentication technology to your web services. When integrating with Amazon Cognito, you can focus on building the user experience of your application, and let SecureAuth IdP handle the authentication. It can be deployed on-premise or in the AWS cloud to suit your needs.