Logging in to Assets Server using single sign-on (SSO) via Amazon Cognito is one of the ways of logging in to Assets Server using SSO.
This article describes how to implement Cognito in Assets Server with Cognito also acting as the identity provider.
Note: For information about using Cognito in combination with an external identity provider, see Implementing single sign-on in Assets Server using Amazon Cognito with an external SAML identity provider.
Before you start
Before you start, make sure that:
- You have an active Amazon AWS account.
- The Assets Server environment in which Cognito is implemented has a fully working Assets Server and fully working client applications.
- When making use of LDAP, disable it.
The implementation consists of the following steps:
- Setting up Cognito
- Configuring Assets Server
- Setting up permissions and users
- Testing the implementation
Each step is described below.
Info: Use the filter to only display information for one step.
Step 1. Setting up Cognito
This involves the following steps:
- Creating a user pool and app client
- Modifying the app client settings
- Setting up groups
1. Creating a user pool
Step 1. On the AWS Management Console page, enter Cognito in the Find Services list and click the found result.
The Amazon Cognito page appears.
Step 2. Click Manage User Pools.
The User Pools page appears.
Step 3. In the top right corner, click Create a users pool.
Setting up a users pool involves various steps. Each step has its own page. Refer to the navigation menu on the left side of the page.
- Name. Enter a pool name and click Step through settings.
- Attributes. Use this page to set up how you want your end users to sign in. When done, click Next step.
- Set up the following pages as required:
- MFA and verifications
- Message customizations
For more information about these pages, see the Amazon documentation.
- App clients. Click Add an app client, add a name and set the other options to your needs. When done, click Create app client:
- Review. Review your settings and click Create pool.
2. Modifying the app client settings
Step 1. In the menu under App integration, click App client settings and set up the page as outlined below. When done, click Save changes.
Note: All URLs need to be in HTTPS format; the only exception is localhost.
- Enabled Identity Providers. Select Cognito User Pool.
- Sign in and sign out URLs:
- Callback URL: This URL consists of 2 parts: the URL of Assets Server followed by /openid/callback
- Sign out URL: The URL of your Assets Server.
Tip: Concatenate multiple URLs by separating them with a comma.
- OAuth 2.0:
- Allowed OAuth Flows: select Authorization code grant.
- Allowed OAuth Scopes: select all options:
Step 2. In the menu under App integration, click Domain name and follow the instructions on the page. When done, click Save changes.
3. Setting up groups
Step 1. Go to Users & groups, followed by Groups. Click Create group. Enter a name, leave the other fields to the default settings. When done, click Create group.
Note: Names of groups cannot contain spaces.
Step 2. Create as many groups as needed.
Step 2. Configuring Assets Server
In Assets Server, a connection to the Assets Server application in Cognito needs to be configured.
For this, we need information from Cognito.
Step 1. In Cognito, do the following:
- Under App integration, click Domain name and note down the full Cognito domain name.
- Under General settings, click App clients followed by Show details. Note down the App client id and the App client secret.
Step 2. In the Management Console, access the Single sign-on page and fill in all fields. When done, click Activate in the top right corner.
- SSO provider: Cognito
- Provider URL: the full Cognito domain name.
- Client ID: the Cognito App Client ID.
- Client Secret code: the Cognito App Client Secret.
- Redirect URL: the Assets Server URL.
Note: Should you at this stage log out of Assets Server, the activated SSO implementation is in use which is not yet fully operational. To log back in to the Management Console, use the following URL: <your Assets Server URL>/app/#/signin.
Step 3. Setting up permissions and users
This involves the following steps:
- In Assets Server: Setting up permissions for the user groups created in Cognito.
- In Assets Server: Preventing users who are not part of a group from logging in.
- In Cognito: Creating users, inviting them and adding them to a group.
Step 1. In Assets Server, access the Management Console and open the Permissions > Groups page. Create groups with the exact same names that were used in Cognito, and assign permissions.
Step 3. While still in the Management Console, access the Server configuration > Cluster properties page, search for the following option and set it to true:
Note: Setting this option to true prevents users who are not part of a group from logging in. When this option is set to false, such users are able to log in which results in a blank page being shown and a license being taken up.
Step 3. In Cognito, go to Users & groups, followed by Users. Click Create user. Set up the fields as needed. When done, click Create user.
Step 4. For the user in Cognito, click Add to group and select the group that the user should be part of. When done, click Add to group.
Step 4. Testing the implementation
Test the implementation by logging in to Assets Server using the various applications:
- The Brand portal
- The Management Console
- Assets for InDesign
Test the scenario where the user is not yet logged in to Cognito and where the user is already logged in to Cognito. Follow the steps on screen.
- 4 April 2023: Updated section 3 'Setting up permissions and users' with information about setting the security.login.userTypeRequired option.
Do you have corrections or additional information about this article? Leave a comment! Do you have a question about what is described in this article? Please contact Support.
Please sign in to leave a comment.