This guide provides information on how to:
- Set up Beyond Identity as a Passwordless login provider for applications that use AWS Cognito to manage their identities.
- Administrator user privileges to AWS console.
- USER Pool setup:
- Login to the AWS cognito console as an administrator.
- Click on “Manage User Pools”
- Click on “Create a user pool”
- Under the Name provide a pool name and click on “Step through settings”
- Under Attributes select how you want end users to sign in. ex:
- Under which standard attributes are required select email, family name, given name and name.
- Leave out Do you want to add custom attributes.
- Leave the default values for policies.
- Select appropriate values for MFA. Ex:
- Leave the default settings for Message customizations, tags and devices.
- Under the App clients
- Click on Create App client.
- Leave the default values in Triggers
- Hit Create Pool.
- Configure bi as the idp:
- Navigate to Federation🡪Identity Providers.
- Click on OpenID connect and configure a new Provider as below.
- Client ID and Secret will be generated from BI Admin console (Refer to the section)
- Navigate to Federation🡪Attribute Mapping
- Configure the OIDC Mappings for newly created BI IDP as below
- APP CLient settings on cognito
- Navigate to App Integration 🡪App client settings.
- Under Enabled Identity Providers select Beyond-Identity.
- Under Callback URL(s) enter your application’s redirect URL
4. Select the below values for OAuth 2.0 flows and scopes.
- Navigate to App Integration 🡪 Domain Name and provide an amazon Cognito domain name.
- Leave the UI customization and Resource server settings at default.
- settings on the app:
- Configure App client Id and Client secret from Cognito (User Pool 🡪General Settings 🡪 App Clients) on your App.
Configure Cognito Issuer URL for your app (User Pool 🡪 App Integration 🡪Domain Name)
- E.g. https://cognito-idp.auth.<aws-region>.amazoncongnito.com/<User-Pool-ID>
- E.g. https://<beyond-b2c>.auth.us-east-2.amazoncognito.com
- Beyond Identity Admin console settings:
- Navigate to Integrations🡪OIDC.
- Configure the Name and Redirect URI accordingly.
e.g. Redirect-URI: https://beyond-b2c.auth.us-east-2.amazoncognito.com/oauth2/idpresponse
For the Application the provisioning will be done using Beyond Identity API’s available at https://developer.beyondidentity.com/
- Beyond IDentity AdMIN CONSOLE COnfig:
Depending upon customer’s SSO please use appropriate SSO Integration guide.
- BEYOND IDENTITY MFA wITH AWS CONGNITO:
Beyond Identity supports MFA during initial login. AWS COGNITO does not provide ability to configure OIDC or SAML based MFA. AWS Cognito only supports SMS text message, or TOTP as MFA option currently. It is possible for a CIAM App to integrate directly with BI MFA using OIDC or SAML based integration.
- Sample flow wITH AWS CONGNITO: