Implementing single sign-on in Elvis 6 using Amazon Cognito with an external SAML identity provider

This step consists of creating a user pool and defining a domain name.

Step 1. On the AWS Management Console page, enter Cognito in the Find Services list and click the found result.

The Amazon Cognito page appears.

Step 2. Click Manage User Pools.

The User Pools page appears.

Step 3. In the top right corner, click Create a users pool.

Setting up a users pool involves various steps. Each step has its own page. Refer to the navigation menu on the left side of the page.

• Name. Enter a pool name and click Step through settings.

• Attributes. Use this page to set up how you want your end users to sign in. When done, click Next step.

Notes: We advise to use the option Email address or phone number.Choose one of the available sub options: e-mail addresses, phone numbers, or both. In the section Which standard attributes do you want to require?, select email. In the section Do you want to add custom attributes?, click Add custom attribute to create a custom attribute for storing groups (or roles) from the external identity provider. Use the following values: (Note that these values cannot be changed once the pool has been created. The only way to change them will be to create a new user pool.) Type: string Name: groups Min Length: 1 Max length: 2048 Mutable: select

• Set up the following pages as required:
• Policies
• MFA and verifications
• Message customizations
• Tags
• Devices
• Triggers

For more information about these pages, see the Amazon documentation.

• App clients. Click Add an app client, add a name and set the other options to your needs. When done, click Create app client:

• Review. Review your settings and click Create pool.

Step 4. In the menu under App integration, click Domain name and follow the instructions on the page. When done, click Save changes.

Here, Microsoft Azure Active Director is used.

Step 1. Open the Azure Portal and navigate to Azure Active Directory.

Step 2. Go to Enterprise Applications and choose New application followed by Non-gallery application and give the application a name. Click Add to create the new application.

Step 3. In the newly created App, choose Single sign-on, followed by SAML.

Step 4. Edit the options as follows. When finished, click Save.

• Identifier: The ID of the Cognito user pool. Get this by accessing the General settings of your Cognito user pool. Enter it in the following format:

urn:amazon:cognito:sp:<AWS Cognito user pool ID>

• Reply URL: The Cognito Domain URL. Get this in the Domain name section of your Cognito user pool. Enter it in the following format:

<AWS Cognito Domain URL>/saml2/idpresponse

Step 5. Go to the next step 2 User Attributes & Claims. Add a new claim with the following settings. Leave all other claims as-is. When done, click Save.

• Name: roles
• Namespace: leave empty
• Source attribute: user.assignedroles

Step 6. In the SAML settings, go to step 3 SAML Signing Certificate and click Download for the option Federation Metadata XML. Save the file somewhere on your system, it is needed later in the process.

Step 1. In Cognito, go to Federation > Identity Providers > SAML. Upload the previously downloaded XML file and add a name. When done, click Create provider.

Step 2. Click Configure attribute mapping and set up the following configuration. When done click Save changes.

SAML attribute	User pool attribute
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress	Email
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname	Given Name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname	Family Name
roles	custom:groups

Step 3. Go to App integration > App client settings and make the following changes. When finished click Save changes.

• Enabled Identity Provider: select Azure-AD (the name that was used in step 1).

• Sign in and sign out URLs:
• Callback URL: This URL consists of 2 parts: the URL of Elvis Server followed by /openid/callback

Example: https://elvis.mycompany.com/openid/callback

• Sign out URL: The URL of your Elvis Server.

Tip: Concatenate multiple URLs by separating them with a comma.

• OAuth 2.0:
• Allowed OAuth Flows: select Authorization code grant.
• Allowed OAuth Scopes: select all options:
• phone
• email
• openid
• aws.cognito.signin.user.admin
• profile

Step 1. In Azure, go to App registrations, choose the previously created App. In the menu, choose Manifest.

Step 2. In the appRoles section, add the following JSON. Verify each property and configure it to your needs. When done, click Save.

Notes: Replace the IDs with random generated GUIDs. Use a Web site such as https://www.guidgenerator.com to generate these. The 'value' property is the name of the group; this same name is later used when setting up groups in Elvis.

{
    "allowedMemberTypes": [
        "User"
    ],
    "description": "Designers role",
    "displayName": "Designers",
    "id": "YOUR GUID HERE",
    "isEnabled": true,
    "lang": null,
    "origin": "Application",
    "value": "Designers"
},
{
    "allowedMemberTypes": [
        "User"
    ],
    "description": "Editors role",
    "displayName": "Editors",
    "id": "YOUR GUID HERE",
    "isEnabled": true,
    "lang": null,
    "origin": "Application",
    "value": "Editors"
},

Step 3. Assign the role to an Active Directory user or group by doing the following:

Note: When no users exist yet, create these first.

1. Go to Enterprise Applications > your App > Users and groups.
2. Choose Add user.
3. Select Users and groups, select one or multiple users or groups and click Select.
4. Click Select Role, select one of the previously created roles and then click Assign.
5. Repeat these steps to assign additional roles.

In Elvis Server, a connection to the Elvis application in Cognito needs to be configured.

For this, we need information from Cognito.

Step 1. In Cognito, do the following:

• Under App integration, click Domain name and note down the full Cognito domain name.
• Under General settings, click App clients followed by Show details. Note down the App client id and the App client secret.

Step 2. In the Elvis Management Console, access the Single sign-on page and fill in all fields. When done, click Activate in the top right corner.

• SSO provider: Cognito
• Provider URL: the full Cognito domain name.
• Client ID: the Cognito App Client ID.
• Client Secret code: the Cognito App Client Secret.
• Redirect URL: the Elvis URL.

Examples: Provider URL: https://elvis-mycompany.auth.eu-west-1.amazoncognito.com Client ID: 4jnjgoe6mrnov1dvq6i1t5060j Client Secret code: 1smtk2spaejt1lh2udi0uesuv73veck4sp3kd6cnhhe7hi57f05v Redirect URL: https://elvis-mycompany.com

Note: Should you at this stage log out of Elvis Server, the activated SSO implementation is in use which is not yet fully operational. To log back in to the Management Console, use the following URL: <your Elvis Server URL>/app/#/signin.

Step 1. In Elvis, access the Management Console and open the Permissions > Groups page and assign permissions.

Note: Create groups with the exact same names that were configured as roles in Azure (see the 'value' property in the JSON as part of setting up application roles in Azure.)

Test the implementation by logging in to Elvis using the various applications:

• The Pro client
• The Brand portal
• The Management Console
• Elvis in InDesign

Test the scenario where the user is not yet logged in to Cognito and where the user is already logged in to Cognito. Follow the steps on screen.