Amazon Cognito (OIDC)

  • 3 minute(s) read
Prev Next

Overview

Configure Maverics to use Microsoft Entra ID as an identity provider using the SAML protocol.

Configuration settings for Amazon Cognito OIDC user flow.

Identity Fabric/Amazon Cognito (OIDC)→Configure Identity Fabric→Use for authentication in any type of user flow

Configure Identity Fabric

Use a Secret Provider

Strata recommends implementing a secret management system for use in Production. Maverics connects with multiple secret management systems, which keep sensitive information that Orchestrator instances retrieve during startup. To cite a secret from your provider, enclose the name in angle brackets. (e.g. <app client-id>).


Name

Description

Example

Name

A unique identifier for the connector configuration. This cannot be changed once set.

mavericsOIDC

OIDC Well Known URL

The URL that returns OpenID Connect metadata about the OIDC authorization server.

https://example.com/.well-known/openid-configuration

OAuth Client ID

The OAuth client ID registered with the OIDC provider.

exampleID
<client_ID_from_secret_provider>

OAuth Client Secret

The OAuth client secret associated with the client ID.

exampleSecret
<client_secret_from_secret_provider>

Redirect URL(s)

A list of allowed redirect URIs for the login flow.

https://host1.example.com/oidc, https://host2.example.com/oidc

Logout Callback URL(s)

A list of allowed redirect URIs for the logout flow.

https://host1.example.com/logout, https://host2.example.com/logout

Scopes

A space-delimited string specifying the scopes to request during authentication.

openid profile email custom-scope

Proof Key for Code Exchange (PKCE)

Enable or disable Proof Key for Code Exchange (PKCE). When set to enabled, PKCE enhances security by requiring a code verifier during authentication. When disabled, PKCE is disabled, which may reduce security for public clients.


JSON deployed to the orchestrator

{
  "connectors": [
    {
      "name": "mavericsOIDC",
      "type": "oidc",
      "oidcWellKnownURL": "https://example.com/.well-known/openid-configuration",
      "oauthClientID": "exampleID",
      "oauthClientSecret": "exampleSecret",
      "oauthLoginRedirect": {
        "urls": [
          "https://host1.example.com/oidc",
          "https://host2.example.com/oidc"
        ]
      },
      "oauthLogoutRedirect": {
        "urls": [
          "https://host1.example.com/logout",
          "https://host2.example.com/logout"
        ]
      },
      "disablePKCE": false,
      "scopes": "openid profile email custom-scope"
    }
  ]
}


Configure Maverics in Amazon Cognito

We recommend setting up a separate user pool, app client, and user name in Cognito for use in Maverics. From Cognito in your AWS console, follow steps 1 and 2 in Amazon's Cognito Getting Started Guide to create a user pool and add an app client.

When setting up the user pool, we recommend leaving all of the options at their default setting except for the following:

  1. On the Configure sign-in experience page, select Email as the sign-in option.

  2. On the Integrate your app section:

    • Under Hosted authentication pages, select Use the Cognito Hosted UI.

    • Choose a Cognito domain prefix, (for example, strata-maverics-sonar-app).

    • Under Initial app client, select Other - A custom app. Choose your own grant, auth flow, and client-secret settings.

    • Enter an app name, like Sonar-app.

    • Ensure Generate a client secret is selected under Client secret.

    • Under Allowed callback URLs, enter https://localhost/oidc

    • Add Allowed logout URLs, enter https://localhost/oidc/logout

    • Ensure that the OpenID Connect scopes field contains email, openid, and profile.

  3. Scroll to the bottom and click Create user pool.

  4. After you have created the user pool and you have been redirected to the User pools page, click the user pool you have just created.

  5. Make a note of the User Pool ID and AWS region.

  6. Go to the App integration tab and scroll down to the App client list. Click the app name.

  7. On the app client page, copy the Client ID and Client secret.

  8. Go back to the user pool page. In the Users section, click Create user and follow the instructions.

  9. Make a note of the email address used for the username.

Identity Service Health Monitoring

Identity Service Health Monitoring is a feature used as part of Identity Continuity™ and is available for OIDC, SAML, and LDAP identity services. When enabled, this feature allows the orchestrator to continuously poll the identity service and trigger an alert if it can't be reached. In addition, you can create a manual failover mechanism for break-glass scenarios with the custom health check endpoint capability. 

You will need to configure Identity Service Health Monitoring for each identity service used in your continuity strategy.

When this feature is enabled, the following fields can be configured:

NameDescriptionExample
Polling FrequencyThe interval between each health check of the identity service. Can be set in seconds, minutes, or hours.30s
TimeoutThe maximum wait time for a response. Can be set in seconds, minutes, or hours.5s
Failover ThresholdThe number of consecutive negative (down) health check results to trigger a failover.4
Fallback ThresholdThe number of consecutive positive (up) health check results to trigger a fallback.4
Custom Health CheckEnabling this allows you to override the behavior of monitoring IDP availability. This can be used use custom signals for IDP health or for a break-glass scenario to manually trigger failover and fallback behaviors. 
Custom Health Check Endpoint
The endpoint to use for the custom health check. The value must be a fully qualified URL.
https://example.com/health
Expected Status Codes(Optional) The HTTP status codes that the custom health check returns to be considered healthy.200, 201
Response Body Matcher(Optional) A matcher that verifies the expected value in the response body of a health check.'"status": "up"'

Related articles