Guide to using IAM Identity Center Customer application for ALB authentication?

0

I have setup and configured an open source application and made it available behind an internal ALB (not Internet facing). The application, Eclipse Theia has no login/authentication mechanism and typically relies on NGINX for this purpose.

We have IAM Identity Center is enabled Org wide but I would prefer to start by using an account specific/local setup initially.

As far as I can tell, I can, in theory setup a Customer Managed Application in Identity Center so that it's presented on the "Applications" tab of the AWS access portal (like say Grafana or a custom quickSight dashboard) and use this to authenticate access through my ALB but at some point I need to use an Amazon Cognito Identity Pool that's integrated with Identity Center? I can't find a guide for this as my search terms tend to return every other combinations of authentication setup for just two of these systems when what I'm looking for is some sort of AWS ID Center application + cognito + ALB authentication combined guide that covers the integration of all 3?

I think this answer is almost what I'm looking for https://repost.aws/knowledge-center/cognito-user-pool-iam-integration but is just lacking the integration with th ALB forwarding rules?

3 Answers
0

Set Up IAM Identity Center:

Ensure IAM Identity Center is enabled and configured in your AWS account. If you are using an AWS Organization, you can set this up at the organization level or at the account level for a local setup.

Create a custom SAML 2.0 application in IAM Identity Center:

Go to the IAM Identity Center console.

Navigate to Applications > Add a new application > Add a custom SAML 2.0 application.

Configure the application with the required details, such as the ACS (Assertion Consumer Service) URL and the Entity ID. These URLs are typically provided by your ALB's listener rule when you configure SAML authentication.

Download the AWS SSO metadata file.

2. Configure Amazon Cognito:

Create a new Cognito User Pool or use an existing one. You will use this to handle user authentication and federation.

Create an Identity Pool if needed for federated identities.

Set up Cognito to use IAM Identity Center as an external SAML identity provider:

Go to the Cognito console and select your User Pool.

Under Federation, select Identity providers > SAML.

Add a new SAML identity provider and upload the metadata file from IAM Identity Center.

Map the SAML attributes to Cognito attributes as needed.

3. Configure the Application Load Balancer (ALB):

Create or update your ALB to enable SAML-based authentication:

In the ALB console, under Listeners, select the listener (typically HTTPS).

Create a new rule to authenticate users with a SAML-based authentication provider.

In the Actions section, select Authenticate > SAML.

Provide the details from your IAM Identity Center SAML configuration (ACS URL, Entity ID).

Set up the ALB rules to forward authenticated requests to your target group where the Eclipse Theia application is running.

4. Testing and Verification: Once all configurations are in place, test the setup:

Access the application through the ALB. You should be redirected to the IAM Identity Center login page for authentication.

After successful authentication, the ALB should forward the request to your application.

EXPERT
answered a month ago
0

Thank you for this Thanniru, I'll test and get back with any updates. I also found this guid which sounds like the ultimate goal of what I'm trying to MVP here https://aws.amazon.com/blogs/networking-and-content-delivery/aws-verified-access-integration-with-aws-iam-identity-center-and-saml-2-0-identity-providers/ just in case anyone else comes across this thread and find it useful.

answered a month ago
0

I'm specifically struggling with this stage as there doesn't seem to be any SAML option...

Create a new rule to authenticate users with a SAML-based authentication provider. In the Actions section, select Authenticate > SAML. Provide the details from your IAM Identity Center SAML configuration (ACS URL, Entity ID).

There is no option for SAML, only "cognito" or "OIDC" and the OIDC options requests endpoint, token endpoint, client ID and Secret which aren't clearly mapped to the outputs from setting up IAM identity Center.

Would you have a screen shot?

answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions