Integrations
Integrations
Breadcrumbs

SSO AWS

Integration Model

Authentication (OAuth2)

The functionality is directly embedded in the Zeus authentication management microservice, and is enabled and configured through that microservice's configuration file.

Authentication Configuration

The security.authentication property is used to configure the different authentication providers used.

For AWS, the following properties must be configured:

YAML
security:
  authentication:
    oidc:
      providers:        
        aws:
          # Provider name as it will appear on the login page
          name: Anjana AWS
          # Provider URL to authorize Anjana Portal users (use variables in the URL)
          authorize-url: https://${security.authentication.oidc.providers.aws.domain}.auth.${security.authentication.oidc.providers.aws.region}.amazoncognito.com/login?response_type=code&client_id=${security.authentication.oidc.providers.aws.client-id}&redirect_uri=${security.authentication.oidc.providers.aws.redirect-uri}&state=STATE&scope=${security.authentication.oidc.providers.aws.scopes}
          # Provider URL to authorize Portuno users (use variables in the URL)
          authorize-url-portuno: https://${security.authentication.oidc.providers.aws.domain}.auth.${security.authentication.oidc.providers.aws.region}.amazoncognito.com/login?response_type=code&client_id=${security.authentication.oidc.providers.aws.client-id}&redirect_uri=${security.authentication.oidc.providers.aws.redirect-uri-portuno}&state=STATE&scope=${security.authentication.oidc.providers.aws.scopes}
          # Provider URL to manage token creation
          token-url: https://${security.authentication.oidc.providers.aws.domain}.auth.${security.authentication.oidc.providers.aws.region}.amazoncognito.com/oauth2/token
          # Provider authentication scope
          scopes: openid+profile
          # Authentication client identifier at the provider
          client-id: <client-id>
          # Authentication client secret at the provider
          client-secret: <client-secret>
          # Provider authentication method
          client-authentication-method: GET
          # URI to which the browser should redirect after a successful login with the provider in Anjana Portal
          redirect-uri: https://<host>/authorized
          # URI to which the browser should redirect after a successful login with the provider in the admin portal (Portuno)
          redirect-uri-portuno: https://<host>/configpanel/authorized
          # Field where the username is found at the provider
          username-claim: cognito:username
          # Authentication type according to the OAuth2 definition
          workflowType: AUTHORIZATION_CODE
          # Authorization server URL to call to retrieve user information
          authorizeServer: https://${security.authentication.oidc.providers.aws.domain}.auth.${security.authentication.oidc.providers.aws.region}.amazoncognito.com/oauth2/userInfo
          # Property that holds the username from the authorization server
          userNameProperty: username
          # Provider type
          type: AWS
          # AWS IAM region, used to generate authorization URLs
          region: eu-web-1
          # AWS IAM domain, used to generate authorization URLs
          domain: anjana-app-desarrollo
          # User pool identifier
          poolID: <poolID>
          # Access key of the administrator user used to retrieve users
          accessKey: <accessKey>
          # Secret key of the administrator user used to retrieve users
          secretKey: <secretKey>

Active Governance

The plugin to deploy, which will handle the active governance tasks that need to provision elements on AWS, is "Tot plugin AWS IAM".

Required Credentials

The credential can be a single one combining the permissions of both, but it is recommended to keep them separate to facilitate monitoring and auditing of the activity carried out by each.

Authentication

The functionality is directly embedded in the Zeus authentication management microservice, and is enabled and configured through that microservice's configuration file.

A User Pool must be registered in the Amazon Cognito service for OAuth2 applications, and a name must be provided.

After creating the user group, additional configuration is needed in the "Application Clients" section, where the following settings must be retrieved from the created client:

  • Client ID

  • Client Secret

Additionally, a Sign-in Page must be configured with the following settings:

  • the URLs matching the domain name that routes to the Anjana Data frontend. The following must be registered:

    • Callback URLs:

      • https://<host>/authorized

      • https://<host>/login

      • https://<host>/configpanel/authorized

      • https://<host>/configpanel/login

    • Sign-out URLs

      • https://<host>/logout

      • https://<host>/configpanel/logout

  • OAuth2 Grant Type

    • The preferred flow type

Finally, in the Branding / Domain section, the Cognito domain must be edited — it will come with a region and hash concatenation — and filled with an identifying name in lowercase and without special characters such as spaces (it is a URL).

Active Governance

The plugin to deploy, which will handle the active governance tasks that need to provision elements on AWS, is "Tot plugin AWS IAM". The required credentials are described in its documentation.

SSO Emulation via OAuth2

The OAuth2 protocol enables transparent authentication when possible. To achieve this, the user simply needs to be redirected to https://<host>/provider=<provider identifier in zeus>. If the user is already logged in to that provider and the policies configured in that provider do not require re-validation of the credential, the user will be authenticated in Anjana Data in a completely transparent manner.