Last week, Amazon Web Services™ (AWS) announced an exciting new capability in their Cognito product: support for OpenID® Connect (OIDC). Amazon Cognito, which was released in July of this year, provides identity services for application developers as well as the ability to synchronize data between devices. Using Cognito, developers can store information such as user preferences and other data in the AWS cloud, making it simple for users to switch between mobile devices or use applications offline. Additionally, Cognito provides the ability for an application to obtain a temporary, limited-use AWS token that can be used to access other AWS services, avoiding the security risk of hardcoding credentials into the application.

 

Initially, Cognito supported anonymous users as well as authenticated access through Amazon, Google and Facebook. The addition of OIDC extends this authenticated access to any identity provider through a secure, standards-based protocol.

 

Using Cognito, developers can focus on the user experience instead of dealing with the heavy lifting of security and authentication. In the past, it was often necessary to embed credentials into an application and then develop complex systems to ensure that users only had access to their data. For example, an application might need a key to obtain a token to access an API, a username and password to retrieve a user's account from that API, and yet another set of credentials to call a service to read and write data. Cognito and the AWS SDKs simplify all of this to a few lines of code. Plus, an OIDC provider allows authentication for any user, regardless of where that user's identity is stored or what device they're using.

 

As part of the rollout of OIDC support in Cognito, AWS gave us the opportunity to test the functionality and interoperability of the service with our products, and we're happy to announce that using PingFederate as an OIDC provider to access Cognito is fully supported.

 

Regardless of whether your identities are stored behind your firewall or in the cloud, PingFederate can authenticate your users and provide a standard ID token that can be used to access Cognito as well as other AWS services, simply and securely.

 

 

1. The user accesses the application and chooses to sign on.
2. The application redirects the user to PingFederate. After optionally choosing their identity provider, they are authenticated and issued an OIDC ID token.
3. The application exchanges the ID token for a Cognito token.
4. The application exchanges the Cognito token for a temporary AWS token.
5. The application uses the AWS token to access AWS services, such as DynamoDB.

To get started, you can learn more about PingFederate and download our OAuth Playground, which provides examples for both OIDC basic and implicit profiles. Installing PingFederate and configuring the Playground only takes a few minutes, and configuring AWS is as simple as adding PingFederate as an identity provider and then configuring Cognito to use it for your identity pool.

 

With a modular approach to authentication, PingFederate can leverage Active Directory (Kerberos), LDAP, relational databases and web access management (WAM) systems for authentication out-of-the-box, and our SDK and RESTful APIs allow you to build custom integrations quickly and easily. Additionally, PingFederate supports many multi-factor solutions, including our newest product, PingID, giving you another level of security not only for your AWS applications, but for any application, anywhere--including SaaS and internal applications. PingFederate also provides built-in data source integrations and token issuance rules, allowing you to determine which users should have access to which applications based on criteria such as client type, location, authentication method and identity attributes.

 

Further, if you don't manage your own user identities, PingFederate can authenticate users at a third-party using SAML, OAuth, OpenID or other proprietary protocols, allowing you to delegate authentication to your partners or other cloud identity providers that are not natively supported by Cognito, such as Twitter or LinkedIn™.

 

Using a standards-based federation server like PingFederate not only allows you to centralize and standardize your identity management and authentication services, it also allows you to centrally audit access to all of your applications, regardless of where the user identity is stored or what method is used for authentication. By extending this to AWS, you can streamline your user management processes, audit access to all of your applications and provide a higher level of security whether the application is deployed on-premises or in the cloud.

 

Contact us to get more information and start securing your AWS applications today.