How can we help?
Table of Contents
< All Topics
Print

Set Up Azure AD Authentication with Cognito User Pool

Cognito can serve as an identity broker for Azure AD, allowing users created in the user pool to log in to the application. The following steps are required to set up Azure AD authentication with Cognito:

  • Create an enterprise application in Azure AD for AWS Cognito.
    • Create app roles and provision roles to the users.
  • Configure Azure AD as an identity provider in local.py.

Create Enterprise Application in Azure AD for AWS Cognito

Cognito user pool details for Azure AD setup: Note the user pool ID and domain prefix for the Cognito user pool setup.

Format for Identifier (Entity ID): urn:amazon:cognito:sp:<yourUserPoolID>
For example, urn:amazon:cognito:sp:ap-southeast-2_nYYYyyYyYy

Format for Reply URL: https://<yourDomainPrefix>.auth.<aws-region>.amazoncognito.com/saml2/idpresponse
For example https://example-corp-prd.auth.ap-southeast-2.amazoncognito.com/saml2/idpresponse

Your domain prefix: The same domain name should be used in local.py for redeploy

Please Copy the Cognito user pool ID and keep the identifier and reply URL ready as per the above steps.

  1. On the Azure portal, go to Azure Active Directory.
  2. On the sidebar, select Enterprise Applications and create a new app.
  3. On the Browse Azure AD Gallery page, choose Create your own application.
  4. Enter a name for your application and select Integrate any other application you don’t find in the gallery (Non-gallery).

Screenshot of create your own application UI

  1. Once the app is created, go to the Getting started page, and in the Set up single sign-on tile, choose Get started.

Screenshot of the Getting Started page, a red arrow points ot the tile labeled Set up single sign-on

  1. On the next page, select SAML.
  2. In the Basic SAML Configuration section, choose the Edit icon and replace the default Identifier ID (Entity ID) with the Identifier (Entity ID) you copied previously.

Screenshot of the SAML configuration

  1. In the Reply URL (Assertion Consumer Service URL) field, enter the Reply URL you noted previously.
  2. Set the Logout URL as <COGNITO_DOMAIN_URL>/logout?client_id=<COGNITO_APP_CLIENT>&response_type=code&scope=openid+profile&redirect_uri=<PALADIN_UI_URL>/callback.

Screenshot of the SAML configuration with red arrows calling out the locations for Identifier ID & Logout URL

  1. In the User Attributes & Claims section, choose Edit and Add new claim.

Screenshot of User Attributes & Claims section

  1. Give Role Name as the name of the claim, leaving the namespace blank, and select user.assignedroles as the source attribute.

Screenshot of Manage claim UI withthe values above entered

  1. Scroll down to the SAML Signing Certificate section and download the Federation Metadata XML.

Screenshot with a red arrow pointing to the copy icon for the SAML Signing Certificate's App Federation Metadata URL

  1. Copy the contents of the XML file, as it will be entered in local.py.

Create App Roles and Provision Roles to the Users

  1. Go to Azure Active Directory >> App registration.
  2. Select the app registered in the previous step, and on the side panel, select App roles and click Create role.

Screenshot of Edit app role UI with the values listed below filled out

  1. Give a display name and select Allowed member types as Users/group.
  2. In the value field, enter ROLE_ADMIN, which will act as an admin role for the Paladin Cloud.
  3. Create another app role with the same configurations as above but value ROLE_USER, which will be the default read-only user for Paladin Cloud.
  4. To assign these roles, navigate to Azure Active Directory >> Enterprise App and select the app that was created.

Screenshot of the Enterprise applications > All applications UI

  1. On the side panel, select Users and groups and click Add user/group.
    Screenshot of users and groups UI

  2. Select the users and roles that should be assigned.

Screenshot of Select a role UI
An example list of users with permissions to the application

Configure Azure AD as an Identity Provider in local.py

  1. Connect to the installer machine.
  2. Edit the Setting/local.py file.
  3. Under #AZURE_AD_CONFIGURATION, add ENABLE_AZURE_AD = True and METADATA_XML_FILE = """ """
  4. Copy the metadata XML file contents into the METADATA_XML_FILE variable.
  5. Run sudo python3 manager.py redeploy from the installer folder if upgrading to 2.0.0 from previous versions.
  6. Run sudo python3 manager.py upgrade if configuring AD only.