Integration model
Authentication (Oauth2)
The functionality is directly embedded in the Zeus authentication management microservice; it is enabled and configured via the configuration file of said microservice.
Authentication configuration
The various authentication providers used are configured in the security.authentication property.
In the case of AWS, the following properties must be configured:
security:
authentication:
oidc:
providers:
aws:
# Nombre del proveedor tal y como aparecerá en la página de inicio de sesión
name: Anjana AWS
# URL del proveedor para autorizar a los usuarios del Portal Anjana (usar variables en la URL)
authorize-url: https://${security.authentication.oidc.providers.aws.domain}.auth.${security.authentication.oidc.providers.aws.region}.amazoncognito.com/login?response_type=code&client_id=${security.authentication.oidc.providers.aws.client-id}&redirect_uri=${security.authentication.oidc.providers.aws.redirect-uri}&state=STATE&scope=${security.authentication.oidc.providers.aws.scopes}
# URL del proveedor para autorizar a los usuarios de Portuno (usar variables en la URL)
authorize-url-portuno: https://${security.authentication.oidc.providers.aws.domain}.auth.${security.authentication.oidc.providers.aws.region}.amazoncognito.com/login?response_type=code&client_id=${security.authentication.oidc.providers.aws.client-id}&redirect_uri=${security.authentication.oidc.providers.aws.redirect-uri-portuno}&state=STATE&scope=${security.authentication.oidc.providers.aws.scopes}
# URL del proveedor para gestionar la creación del token
token-url: https://${security.authentication.oidc.providers.aws.domain}.auth.${security.authentication.oidc.providers.aws.region}.amazoncognito.com/oauth2/token
# Alcance de la autenticación del proveedor
scopes: openid+profile
# Identificador del cliente de autenticación en el proveedor
client-id: <client-id>
# Secreto del cliente de autenticación en el proveedor
client-secret: <client-secret>
# Método de autenticación del proveedor
client-authentication-method: GET
# URI a la que el navegador debe redirigir tras un inicio de sesión exitoso con el proveedor en el Portal Anjana
redirect-uri: https://<host>/authorized
# URI a la que el navegador debe redirigir tras un inicio de sesión exitoso con el proveedor en el portal administrativo (Portuno)
redirect-uri-portuno: https://<host>/configpanel/authorized
# Campo donde se encuentra el nombre de usuario en el proveedor
username-claim: cognito:username
# Tipo de autentificacion según la definicion de Oauth2
workflowType: AUTHORIZATION_CODE
# URL del servidor de autorización a la que llamar para obtener la información del usuario
authorizeServer: https://${security.authentication.oidc.providers.aws.domain}.auth.${security.authentication.oidc.providers.aws.region}.amazoncognito.com/oauth2/userInfo
# Propiedad en la que se recoge el nombre de usuario del servidor de autorización.
userNameProperty: username
# Tipo de proveedor
type: AWS
# Region de AWS IAM, usada para generar las URL de autorización
region: eu-web-1
# Dominio de AWS IAM, usada para generar las URL de autorización
domain: anjana-app-desarrollo
# Identificador del grupo de usuario
poolID: <poolID>
# Clave de acceso del usuario adminitrador usado para recuperar los usuarios
accessKey: <accessKey>
# Contraseña de la clave de acceso del usuario adminitrador usado para recuperar los usuarios
secretKey: <secretKey>
Active governance
The plugin to deploy which will perform the active governance tasks that need to provision elements in AWS is “Tot plugin AWS IAM”.
Required credentials
The credential can be a single one grouping the permissions of both, but it is recommended to keep them separate to facilitate the monitoring and auditing of the activity carried out by them.
Authentication
The functionality is directly embedded in the Zeus authentication management microservice; it is enabled and configured via the configuration file of said microservice.
It is necessary to register a user group (User Pool) in the Amazon Cognito service for OAuth2 applications; a name must be given to it.
After creating the user group, further configuration is needed in the “Application clients” section, and within the client that has been created, the following configuration must be retrieved:
-
Client ID
-
Client secret
Additionally, a Login page must be configured with the following settings:
-
the URLs according to the domain name that routes to the Anjana Data frontend; the following must be registered:
-
Callback URLs:
-
https://<host>/authorized
-
https://<host>/login
-
https://<host>/configpanel/authorized
-
https://<host>/configpanel/login
-
-
Sign-out URLs
-
https://<host>/logout
-
https://<host>/configpanel/logout
-
-
-
OAuth2 grant type
-
Here the flow type most desired
-
Finally, in the Branding / Domain section, the Cognito domain must be edited — it will come with a concatenation of region and a hash — and filled in with an identifying name in lowercase and without special characters like spaces (it is a URL).
Active governance
The plugin to deploy which will perform the active governance tasks that need to provision elements in AWS is “Tot plugin AWS IAM”; its documentation describes the required credential.
SSO emulation via Oauth2
The Oauth2 protocol observes transparent authentication when possible; for this, it is only necessary to redirect the user to https://<host>/provider=<provider identifier in zeus>; if the user is already logged in to that provider and the policies configured in that provider mean that re-validating the credential is not required, the user will be authenticated in Anjana Data in a completely transparent manner.