Logging in to Enterprise using single sign-on (SSO) via Amazon Cognito is one of the ways of logging in to Enterprise using SSO.
This article describes how to implement Cognito in Enterprise to act as the identity provider.
Using Cognito in Enterprise 10 requires the following:
- Enterprise Server 10.9 or any higher version of Enterprise Server
- Content Station Aurora 11.43 or higher and its accompanying Desktop application
- One of the following versions of Smart Connection:
- Smart Connection 12.3.0 for Adobe CC 2017 or higher
- Smart Connection 13.1 for Adobe CC 2018 or higher
- Smart Connection 14.1 for Adobe CC 2019 or higher
- Any version of Smart Connection for higher versions of Adobe InDesign or InCopy.
Before you start
Before you start, make sure that:
- You have an active Amazon AWS account.
- The Enterprise environment in which Cognito is implemented has a fully working Enterprise Server and fully working client applications.
- When making use of LDAP, disable it.
Notes about setting up users and user groups in Enterprise Server:
The implementation consists of setting up Cognito, Enterprise Server, and the client applications. Finally, the implementation needs to be tested.
This involves the following steps:
- Creating a user pool and app client
- Modifying the app client settings
- Setting up groups
Step 1. On the AWS Management Console page, enter Cognito in the Find Services list and click the found result.
The Amazon Cognito page appears.
Step 2. Click Manage User Pools.
The User Pools page appears.
Step 3. In the top right corner, click Create a users pool.
Setting up a users pool involves various steps. Each step has its own page. Refer to the navigation menu on the left side of the page.
- Name. Enter a pool name and click Step through settings.
- Attributes. Use this page to set up how you want your end users to sign in. When done, click Next step.
- Set up the following pages as required:
- MFA and verifications
- Message customizations
For more information about these pages, see the Amazon documentation.
- App clients. Click Add an app client, add a name and set the other options to your needs. When done, click Create app client:
- Review. Review your settings and click Create pool.
Step 1. In the menu under App integration, click App client settings and set up the page as outlined below. When done, click Save changes.
Note: All URLs need to be in HTTPS format; the only exception is localhost.
- Enabled Identity Providers. Select Cognito User Pool.
- Sign in and sign out URLs:
- Callback URL: This URL consists of 2 parts: the URL of Enterprise Server followed by /openid/callback
- Sign out URL: The URL of your Enterprise Server.
Tip: Concatenate multiple URLs by separating them with a comma.
- OAuth 2.0:
- Allowed OAuth Flows: select Authorization code grant.
- Allowed OAuth Scopes: select all options:
Step 2. In the menu under App integration, click Domain name and follow the instructions on the page. When done, click Save changes.
Step 1. Go to Users & groups, followed by Groups. Click Create group. Enter a name, leave the other fields to the default settings. When done, click Create group.
Note: Names of groups cannot contain spaces.
Step 2. Create as many groups as needed.
In Enterprise Server, a connection to the Enterprise application in Cognito needs to be configured.
For this, information from Cognito is needed.
Step 1. In Cognito, do the following:
- Under General settings, click App clients followed by Show details. Note down the App client id and the App client secret.
Step 2. In Enterprise Server, add and configure the following settings in the config_overrule.php file:
define( 'OPENID_ISSUER_URL', '' );
define( 'OPENID_CLIENT_ID', '' );
define( 'OPENID_CLIENT_SECRET', '' );
- OPENID_ISSUER_URL. The URL has a fixed format:
Example: URL for a user pool with ID 'u123456' in the us-east-1 region:
- OPENID_CLIENT_ID. The client ID as copied in step 1.
- OPENID_CLIENT_SECRET. The App client secret as copied in step 1.
Set up the client applications as follows:
- Content Station Aurora
- License configuration. Content Station is available in two types, each with their own license: Content Station Print and Content Station Multichannel. When logging in using SSO, Content Station uses the first license type that is configured in the config.js file. When only one license type is used, make sure that it is listed at the top or listed as the only license. When both license types are used, set up 2 separate instances of Content Station, each with their own config.js configuration.
- Smart Connection
- No additional setup is required.
Test the implementation by logging in to Enterprise using the various applications:
- The Enterprise Server Maintenance pages
- Content Station Aurora
- Smart Connection for Adobe CC 2018 or higher
Test the scenario where the user is not yet logged in to Cognito and where the user is already logged in to Cognito. Follow the steps on screen.
Mapping SSO users with Enterprise Server user accounts
Mapping an Cognito user with the properties for a user in Enterprise Server is done through the 'OPENID_FIELD_MAPPING' setting in the config_overrule.php file.
The following Enterprise properties can be mapped:
Do you have corrections or additional information about this article? Leave a comment! Do you have a question about what is described in this article? Please contact Support.
Please sign in to leave a comment.