Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I use Amplify or Cognito SDK to support Single Sign On?

0

I want to be able to use IDP-initiated SSO to a 3rd party SP's app that respects my current user's login state and doesn't result in a new login screen appearing. I notice that Amplify Auth sets browser local data with the current user's state which is of course associated with the domain of my app. I need those credentials to be set on my oauth2 hosted UI domain so that when the IDP-initiated app launch happens, those credentials can be picked up on the redirect and thereby bypass the login screen,.

How do I do that?

Topics
Front-End Web & MobileSecurity, Identity, & Compliance
Tags
AWS Identity and Access ManagementAmazon CognitoAWS Amplify
Language
English
asked a year ago103 views
1 Answer
0

To achieve the desired functionality where the user's login state is respected during an IDP-initiated SSO to a 3rd party SP's app, you can leverage the Amplify Auth module's support for cross-origin resource sharing (CORS) and session storage. Here's a high-level overview of the steps you can follow:

  1. Configure Amplify Auth for CORS:
    • In your Amplify configuration, add the following to the Auth section:
javascript
     Auth: {
       // ...
       // Add the following configuration
       oauth: {
         domain: 'your-oauth2-hosted-ui-domain.com',
         redirectSignIn: 'https://your-oauth2-hosted-ui-domain.com/redirect',
         redirectSignOut: 'https://your-oauth2-hosted-ui-domain.com/signout-redirect',
         responseType: 'code'
       }
     }
  • This configuration allows Amplify Auth to communicate with the 3rd party SP's app hosted on the your-oauth2-hosted-ui-domain.com domain.
  1. Store User Session in Session Storage:
    • After the user successfully signs in, store the user session information in the browser's session storage. You can do this using the Amplify Auth module's currentAuthenticatedUser() method:
javascript
     import { Auth } from 'aws-amplify';

     async function storeUserSession() {
       try {
         const user = await Auth.currentAuthenticatedUser();
         sessionStorage.setItem('user', JSON.stringify(user));
       } catch (error) {
         console.error('Error storing user session:', error);
       }
     }
  1. Retrieve User Session from Session Storage:
    • When the IDP-initiated SSO flow is triggered, retrieve the user session information from the session storage and use it to authenticate the user on the 3rd party SP's app:
javascript
     import { Auth } from 'aws-amplify';

     async function retrieveUserSession() {
       try {
         const userSession = JSON.parse(sessionStorage.getItem('user'));
         if (userSession) {
           await Auth.federatedSignIn(
             'openid',
             {
               token: userSession.signInUserSession.accessToken.jwtToken,
               expires_at: userSession.signInUserSession.accessToken.expiration * {CREDIT_DEBIT_CARD_EXPIRY}
             },
             userSession.attributes
           );
         }
       } catch (error) {
         console.error('Error retrieving user session:', error);
       }
     }
  • This code retrieves the user session information from the session storage and uses the Amplify Auth module's federatedSignIn() method to authenticate the user on the 3rd party SP's app. By following these steps, you can ensure that the user's login state is respected during the IDP-initiated SSO flow, and the user is not prompted to log in again on the 3rd party SP's app. Remember to replace the placeholders ('your-oauth2-hosted-ui-domain.com') with the appropriate values for your use
AWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content