In the previous blog, we saw how to secure API Gateway using custom authorizer which talks to OpenAM. In this blog, we are going to see how to secure API Gateway using AWS Cognito and OAuth2 scopes.

Any organization building an API based architecture has to build a common security layer around these APIs, basically on the edge so that all the APIs are secured. There are multiple ways to build API security like writing some filters in the case of Java / J2EE application, installing some agents in front of APIs which can make policy decisions etc. One of…

AWS SSO is a cloud-based single sign-on (SSO) service that makes it easy to centrally manage SSO access to all of your AWS accounts and cloud applications.

What is the role of AWS SSO?

If you consider any organization, employees in that organization will have access to multiple applications. These applications can be custom built or third-party SaaS apps. Some examples timesheet app, payroll app or a intranet web portal. If the organization has an enterprise Identity provider, employees will be able to Single Sign-on to all these apps.

One way to make this work is to build a dashboard with links to all these internal &…

In Identity & Access Management, Federation is one of the most important concept. With more and more organizations building an enterprise IAM system, all the organizations wants to use Federation to single sign-on the user to different applications. Even though SAML is generally used for Account Mapping or Account Linking use cases, technically it should work with OpenID Connect (OIDC) as well. For this blog, let’s use SAML. Examples of some applications :

  • Timesheet
  • Payroll
  • SaaS application hosted by a third-party

In the Federation world, there are two main concepts :

  • Account Mapping
  • Account Linking

Account Mapping

SAML Spec explains the most…

In the previous blog, we saw how to secure APIs using OAuth2 client credentials grant. This OAuth grant is used mainly for machine to machine or app to app API authorization. If the authorization needs to be performed at an user level, we have to use OpenID Connect which adds an identity layer on top of OAuth layer. At a very high level, difference OAuth2 and OIDC w.r.t tokens is that OAuth 2 generates only access token + optional refresh token where as OIDC generates an id token + access token + optional refresh token. …

This blog explains a very simple ALB setup which forwards request to a ec2 server which has a tomcat application. ALB serves HTTPS request where as tomcat has only HTTP enabled.

Please follow these steps to configure this :

Step 1 : Create a ec2 instance

  • Login to AWS management console and select EC2 service
  • Click Launch Instance and select the Amazon Linux AMI that has Java as part of the Linux AMI. In the below screenshot, the second AMI has Java included in the Linux image.

AWS IoT has added a new feature using which devices can authenticate with a third-party Identity Provider and invoke the AWS IoT APIs to interact with other devices or APIs.

Use Case :

Build a IoT infrastructure using a enterprise Identity provider which supports Device OAuth 2.0 protocol. If an organization wants to build Apps for devices like TV, Gaming console or printer etc. which has limited input device and integrate with AWS IoT, OAuth 2.0 Device flow can be used.

  1. User selects the App in TV, Gaming Console, printer or similar devices which has limited input option, but connected to internet
  2. Device…

SAML (Security Assertion Markup Language) and OIDC (OpenID Connect) are the most widely used federation protocols for web based single sign-on. In the case of SAML, the most commonly used flow is Redirect/POST Bindings (SP or IDP initiated) and in the case of OIDC, it is Authorization code flow.

The below diagram depicts these 2 flows. It shows the control flow when a user tries to login to a application (SP — using a SAML or a OIDC flow.

I am also planning to publish videos on the basics of SAML and OIDC in YouTube channel. …

In this blog, we are going to setup Account Linking between a Alexa Skill and ForgeRock OpenAM using OAuth2 Authorization grant. To know more about Alexa Account Linking, refer this link.

Below is the flow diagram :

  1. User invokes a skill in Alexa device, say Echo
  2. Echo will invoke the Alexa service
  3. Alexa service will identify the correct skill depending on user’s request and send a request to the Alexa skill
  4. Alexa skill will identify the correct intent and forward the request to Lambda function along with the access_token if it already exists
  5. Lambda function will retrieve the access_token from…

In the previous blog, we did a SAML Federation setup between AWS Cognito and OpenAM using OpenID Connect and SAML. In this blog, we are going to extend this setup to map OpenAM roles to Cognito Role-Based Access Control.

Cognito provides rich set of features for RBAC like assigning different roles to Authenticated / Anonymous users, rule based mapping to assign roles to users. Roles are basically AWS IAM roles which defines permissions to access various AWS services like S3, API Gateway, DynamoDB, EC2 etc.

Use Case

Many organizations have in house IAM systems which typically uses a LDAP based user store…

AWS Cognito is a fully managed service that provides a secure user directory that scales to hundreds of millions of users. It also provides sign in through social identity providers such as Google, Facebook, and Amazon, and through enterprise identity providers via SAML. Amazon Cognito also provides solutions to control access to backend AWS resources from your mobile or web app. You can define roles and map users to different roles so your app can access only the resources that are authorized for each user.

Use Case:

Let us consider an organization which uses ForgeRock OpenAM as the enterprise Identity…


Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store