Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I set up my Application Load Balancer to authenticate users through an Amazon Cognito user pool in another AWS account?

4 minute read
0

I want to use Amazon Cognito authentication with my Application Load Balancer through an Amazon Cognito user pool. But, my user pool is in another AWS account.

Resolution

In the following resolution, Account B is the account that owns the Application Load Balancer, and Account A is the account that owns the user pool.

Create an Application Load Balancer

If you already have an Application Load Balancer, then proceed to the next section.

If you don't have an Application Load Balancer then, create one with an HTTPS listener.

Note: Only HTTPS listeners support the authenticate-cognito and authenticate-oidc rule action types.

Get DNS name of your Application Load Balancer in Account B

Complete the following steps in Account B:

  1. Open the Amazon Elastic Compute Cloud (Amazon EC2) console.
  2. In the navigation pane, choose Load Balancers.
  3. Select your Application Load Balancer.
  4. On the Description tab, note your load balancer's DNS name to use in a later step.

Create and configure a user pool in Account A

If you already have a user pool in the other account, then proceed to the next section.

If you don't have a user pool, then complete the following steps in Account A:

  1. Create an Amazon Cognito user pool with an app client.
    Note: When you create an app client, you can choose one of four options: traditional web app, single page app, mobile app, and M2M authentication. If you choose traditional web app or M2M authentication, then an app client with a client secret generates.
  2. Open the Amazon Cognito console.
  3. In the User pool overview section for your user pool, note the user pool ID to use in a later step.
  4. On the Branding tab, choose Domain. Add an Amazon Cognito domain name for your user pool. The domain name a unique domain prefix that the Cognito Hosted UI requires.
  5. Under Applications, choose App clients.
  6. Select the app client that you want to update.
  7. On the App client page, complete the following steps:
    Turn on Show client secret.
    Note the app client ID and app client secret to use in a later step.
  8. Under Hosted UI, add the https://load-balancer-dns-name/oauth2/idpresponse and https://custom-domain-name/oauth2/idpresponse callback URLs.
  9. Select Authorization code grant for OAuth 2.0 grant types.
  10. Select openid for OAuth 2.0 scopes.
  11. Choose Save changes.

Get your user pool's OIDC configuration details

To set up your user pool as an OpenID Connect (OIDC) identity provider (IdP) on your Application Load Balancer, you must get the OIDC configuration endpoint details.

To get the configuration details, complete the following steps:

  1. In your browser, enter the URL https://cognito-idp.region.amazonaws.com/userPoolId/.well-known/openid-configuration.
    Note: Replace region with the AWS Region of your user pool, for example, us-east-1, and userPoolId with your user pool's ID.
  2. In the JSON response that displays in your browser, note the values from the following fields:
    authorization_endpoint
    issuer
    scopes_supported
    token_endpoint
    userinfo_endpoint

Configure your Application Load Balancer in Account B

Complete the following steps in Account B:

  1. Open the Amazon EC2 console.
  2. Select your Application Load Balancer.
  3. On the Listener and Rules tab, select HTTPS:443 rule.
  4. Under Manage rules, choose Edit rule.
  5. Select the default rules.
  6. Under Actions, choose Edit rule.
  7. Under Default action, select Authenticate Users.
    Note: OIDC identity provider is selected by default.
  8. Enter the values that you noted into the following fields:
    For Issuer, enter the issuer value.
    For Authorization endpoint, enter the authorization_endpoint value.
    For Token endpoint, enter the token_endpoint value.
    For User info endpoint, enter the userinfo_endpoint value.
    For Client ID, enter your app client ID.
    For Client secret, enter your app client secret.
  9. Choose Save.

Test the setup

Complete the following steps:

  1. In your browser, enter your Application Load Balancer's URL.
  2. Verify that you're redirected to the Cognito hosted UI.
  3. Sign in with valid user credentials.

Note: To avoid errors, make sure that all URLs use lowercase characters.

Related information

Simplify login with Application Load Balancer built-in authentication

Authenticate users using an Application Load Balancer

Listener rules for your Application Load Balancer

OIDC user pool IdP authentication flow

Topics
Security, Identity, & Compliance
Tags
Amazon Cognito
Language
English
AWS OFFICIALUpdated 8 months ago
3 Comments

This setup does not work. You get a 400 when redirected to the authorization endpoint. Inspecting the URL and shortening the state query parameter resolves the 400 (but obviously doesn't fix the login). It looks like cognito and ALB are not compatible cross account :-(

replied 3 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

AWS
MODERATOR
replied 3 years ago

It worked for me just now

replied 3 years ago

Relevant content