These cookies provide us with information on how our websites are being used, to help us improve the quality and relevance of content we place on them. Additionally, they also allow us to show you embedded videos and remember your preferences and actions, so that the websites do not bother you with the same request repeatedly (e.g. filling a form to download a PDF file and provide feedback about such actions to our affiliated entities).
Use Amazon Cognito as Identity Provider
In this article, you will learn the basic setup of Amazon Cognito as an Identity Provider for GoodData. In order to keep this example reproducible and universal, the commands below are written in Bash shell and use AWS CLI version 2. If you use a different deployment tool (like CloudFormation or Terraform), or if you decide to configure your Amazon Congito manually using AWS Console, you’ll need to adapt these scipts.
Set up shared environment
Set the following environment variables in the shell you will later use for running the aws-cli commands. Adjust values according to your conditions.
VARIABLE | Example value | Explanation |
---|---|---|
AWS_REGION | eu-central-1 | AWS region where Cognito will be deployed |
ORG_HOSTNAME | example.gooddata.com | Hostname of GoodData organization |
ORGANIZATION_ID | alpha | Organization ID |
API_TOKEN | YWRtaW46Ym9vdHN0cmFwOmRlbW8xMjM= | Token with MANAGE permission on your Organization |
ORG_PORT | "" | Set to port number if it differs from 80 or 443 |
ORG_SCHEMA | https | Organization URL schema, http or https |
User pool configuration
Create Cognito user pool
The following command creates AWS Cognito User pool. It will
be called gdcn-demo
and will use simple password policy:
- minimum 8 characters
- must use upper case, lower case, and numeric characters
- assigned temporary password will be valid for 7 days
To make this example simple, new accounts will have their e-mail addresses set as verified, multi-factor authentication will be turned off and e-mail communication will be sent from aws-provided account.
More importantly, name
user attribute is set as required to
make sure it is always present for every user. This attribute
will be retrieved from user id token by GoodData to get
information about user that just logged in.
The resulting id of created user pool will be stored in
environment variable USERPOOL_ID
that will be used later.
Create Cognito domain
Cognito needs a domain where login form UI elements and OAuth2
service will be hosted. We will use AWS-hosted domain. The
resulting URL will be https://<<domain>>.auth.<<region>>.amazoncognito.com/
. It is also possible to use custom domain, like https://auth.gooddata.com/
. Refer to AWS documentation for details.
This command will create domain https://gdcn-demo.auth.eu-central-1.amazoncognito.com/
:
Create cognito user pool client
In order to use this user pool as a source of truth for user authententication, we need to create OAuth 2.0 client. This command will make such client that will be later configured in GoodData Organization.
Variable ${POOL_CLIENT[0]}
contains client secret and ${POOL_CLIENT[1]}
contains
client id.
Configure Cognito IdP in Organization
Update GoodData organization with OAuth 2.0 client you just created. You will need to prepare API request payload containing information retrieved in previous steps:
oauthClientId
- ID of OAuth 2.0 client, stored in${POOL_CLIENT[1]}
variableoauthClientSecret
- client secret, stored in${POOL_CLIENT[0]}
variableoauthIssuerLocation
- URL of oauth issuer. For Cognito, it has always formathttps://cognito-idp.<<aws-region>>.amazonaws.com/<<user-pool-id>>
Provision user to user pool
There are multiple ways how to add users into Cognito user pool.
In this example, we create a new user using admin-create-user
API, it’s also possible to import users from CSV file. Refer to
AWS documentation for further details.
Link Cognito user with GoodData user
Log in to GoodData
Now you can use web browser to log in to your GoodData
Organization. Just navigate to Organization URL
(https://example.gooddata.com
in previous example) and
enter user login and initial password. On the first login, the
password needs to be changed by user.
Cleanup
When you’re done with test, you may want to delete AWS resources you created. Use these commands to delete user pool domain and user pool itself.
Known Limitations
RP Initiated Logout does not work at the moment. We plan to implement the functionality in a future release.