Logging in to Assets Server using single sign-on (SSO) via Amazon Cognito is one of the ways of logging in to Assets Server using SSO.
This article describes how to implement Cognito in Assets Server in combination with an external SAML identity provider.
Notes:
|
Before you start
Before you start, make sure that:
- You have an active Amazon AWS account.
- You have an active Microsoft Entra ID account.
- The Assets Server environment in which Cognito is implemented has a fully working Assets Server and fully working client applications.
- When making use of LDAP, disable it.
Implementation
The implementation consists of the following steps:
- Setting up Cognito
- Setting up the external identity provider
- Setting up Entra ID in Cognito
- Setting up application roles in Entra ID
- Configuring Assets Server
- Setting up permissions in Assets Server
- Testing the implementation
Info: Use the filter to only show information for one step.
|
1. Setting up Cognito
This step consists of creating a user pool and defining a domain name.
Step 1. On the AWS Management Console page, enter Cognito in the Find Services list and click the found result.
The Amazon Cognito page appears.
Step 2. Click Manage User Pools.
The User Pools page appears.
Step 3. In the top right corner, click Create a users pool.
Setting up a users pool involves various steps. Each step has its own page. Refer to the navigation menu on the left side of the page.
- Name. Enter a pool name and click Step through settings.
- Attributes. Use this page to set up how you want your end users to sign in. When done, click Next step.
Notes:
|
- Set up the following pages as required:
- Policies
- MFA and verifications
- Message customizations
- Tags
- Devices
- Triggers
For more information about these pages, see the Amazon documentation.
- App clients. Click Add an app client, add a name and set the other options to your needs. When done, click Create app client:
- Review. Review your settings and click Create pool.
Step 4. In the menu under App integration, click Domain name and follow the instructions on the page. When done, click Save changes.
2. Setting up the external identity provider
Here, Microsoft Entra ID is used.
Note: The images still show references to the previous name Azure Active Directory (it was renamed to Entra ID in 2023).
Step 1. Open the Entra ID Portal and navigate to Entra ID.
Step 2. Go to Enterprise Applications and choose New application followed by Non-gallery application and give the application a name. Click Add to create the new application.
Step 3. In the newly created App, choose Single sign-on, followed by SAML.
Step 4. Edit the options as follows. When finished, click Save.
- Identifier: The ID of the Cognito user pool. Get this by accessing the General settings of your Cognito user pool. Enter it in the following format:
urn:amazon:cognito:sp:<AWS Cognito user pool ID>
- Reply URL: The Cognito Domain URL. Get this in the Domain name section of your Cognito user pool. Enter it in the following format:
<AWS Cognito Domain URL>/saml2/idpresponse
Step 5. Go to the next step 2 User Attributes & Claims. Add a new claim with the following settings. Leave all other claims as-is. When done, click Save.
- Name: roles
- Namespace: leave empty
- Source attribute: user.assignedroles
Step 6. In the SAML settings, go to step 3 SAML Signing Certificate and click Download for the option Federation Metadata XML. Save the file somewhere on your system, it is needed later in the process.
3. Setting up Entra ID in Cognito
Step 1. In Cognito, go to Federation > Identity Providers > SAML. Upload the previously downloaded XML file and add a name. When done, click Create provider.
Step 2. Click Configure attribute mapping and set up the following configuration. When done click Save changes.
SAML attribute | User pool attribute |
---|---|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | Given Name |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name | Name |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | Family Name |
roles | custom:groups |
Step 3. Go to App integration > App client settings and make the following changes. When finished click Save changes.
- Enabled Identity Provider: select Entra ID (the name that was used in step 1).
- Sign in and sign out URLs:
- Callback URL: This URL consists of 2 parts: the URL of Assets Server followed by /openid/callback
Example: https://assets.server.mycompany.com/openid/callback
- Sign out URL: The URL of your Assets Server.
Tip: Concatenate multiple URLs by separating them with a comma.
- OAuth 2.0:
- Allowed OAuth Flows: select Authorization code grant.
- Allowed OAuth Scopes: select all options:
- phone
- openid
- aws.cognito.signin.user.admin
- profile
4. Setting up application roles in Entra ID
Step 1. In Entra ID, go to App registrations, choose the previously created App. In the menu, choose Manifest.
Step 2. In the appRoles section, add the following JSON. Verify each property and configure it to your needs. When done, click Save.
Notes:
|
{
"allowedMemberTypes": [
"User"
],
"description": "Designers role",
"displayName": "Designers",
"id": "YOUR GUID HERE",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "Designers"
},
{
"allowedMemberTypes": [
"User"
],
"description": "Editors role",
"displayName": "Editors",
"id": "YOUR GUID HERE",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "Editors"
},
Step 3. Assign the role to an Active Directory user or group by doing the following:
Note: When no users exist yet, create these first.
- Go to Enterprise Applications > your App > Users and groups.
- Choose Add user.
- Select Users and groups, select one or multiple users or groups and click Select.
- Click Select Role, select one of the previously created roles and then click Assign.
- Repeat these steps to assign additional roles.
5. Configuring Assets Server
In Assets Server, a connection to the Assets Server application in Cognito needs to be configured and users who are not part of a group should be prevented from logging in.
Step 1. In Cognito, obtain the needed information by doing the following:
- Under App integration, click Domain name and note down the full Cognito domain name.
- Under General settings, click App clients followed by Show details. Note down the App client id and the App client secret.
Step 2. In the Management Console, access the Single sign-on page and fill in all fields. When done, click Activate in the top right corner.
- SSO provider: Cognito
- Provider URL: the full Cognito domain name.
- Client ID: the Cognito App Client ID.
- Client Secret code: the Cognito App Client Secret.
- Redirect URL: the Assets Server URL.
Examples:
|
Note: Should you at this stage log out of Assets Server, the activated SSO implementation is in use which is not yet fully operational. To log back in to the Management Console, use the following URL: <your Assets Server URL>/app/#/signin.
Step 3. While still in the Management Console, access the Server configuration > Cluster properties page, search for the following option and set it to true:
- security.login.userTypeRequired
Note: Setting this option to true prevents users who are not part of a group from logging in. When this option is set to false, such users are able to log in which results in a blank page being shown and a license being taken up.
6. Setting up permissions in Assets Server
In Assets Server, a connection to the Assets Server application in Okta needs to be configured and users who are not part of a group should be prevented from logging in.
Step 1. In Assets Server, access the Management Console and open the Permissions > Groups page and assign permissions.
Note: Create groups with the exact same names that were configured as roles in Entra ID (see the 'value' property in the JSON as part of setting up application roles in Entra ID.)
7. Testing the implementation
Test the implementation by logging in to Assets Server using the various applications:
- Assets
- The Brand portal
- The Management Console
- Assets for InDesign
Test the scenario where the user is not yet logged in to Cognito and where the user is already logged in to Cognito. Follow the steps on screen.
Troubleshooting
Error appears when testing the Single Sign-On configuration in Entra ID: "Required String parameter ‘RelayState’ is not present".
This is a known issue but it does not affect the actual working of the integration. Please ignore this error.
Logging in to Assets Server works, but the assigned permissions are not applied.
This is probably caused by the roles that are not correctly passed from Entra ID to Cognito.
Validate this by navigating to the auto-generated user in Cognito: go to Users and groups, select the user and make sure that custom:groups contains the groups (roles) that were assigned in Entra ID.
If the custom:groups property is not shown, validate both Entra ID and Cognito settings. If the issue is not resolved, try re-creating the Cognito User Pool from scratch.
FAQs
Can Entra ID groups be passed instead of creating application roles?
This is possible but not advisable. The reason is that only Entra ID group GUIDs can be passed as SAML attributes. This would result in creating a group named '9cd1c033-efad-4a96-9e8f-1650dc4137b0' in Assets Server instead of 'Designers'.
Are there limitations to the groups mapping, for example the number of groups?
Yes, the total length of the comma-separated custom groups string must not exceed 2048 characters; this is a limitation in Cognito.
Comment
Do you have corrections or additional information about this article? Leave a comment! Do you have a question about what is described in this article? Please contact Support.
2 comments
Mid August 2023, Azure Active Directory changed name to Microsoft Entra ID.
Hi Siebrand,
Thanks for the heads-up, all references in the article have now been updated.
Best regards,
Maarten van Kleinwee
Senior Technical Writer, WoodWing Software
Please sign in to leave a comment.