AWS Cognito as Custom IDP With LoginRadius
This document provides a step-by-step guide to configure a AWS Cognito application as Custom IDP using the OAuth workflow with your LoginRadius application.
Requirement:
-
AWS account with AWS Cognito Access to create the User pool.
-
LoginRadius Admin Console Access to Add a new custom IDP
Configuration in AWS:
1. Login into the AWS console and navigate to Services>Securities Identities and complains>Cognito
2. In Manage, user pool click on Create user pool button, enter the Pool name, and click on Step through settings.
3. On the attributes tab select the preferred flow to the user will login through the Username or email/PhoneNumber.Add the attributes that need to be gathered from the users.
4. On the App client tab. Click on the Add an app client
5. Now fill in all the required fields as highlighted in the below screenshot.
6. On the review, tab click on Create pool button to create the user pool.
7. After creating a pool navigate to the Domain name tab. Enter the domain prefix and check for availability. If the domain is available, then save the changes by clicking on the Save changes button.
8. After Setup the Domain name navigates to the App client settings tab and enables the Option as highlighted on the screenshot.
For Callback URLs https://<lrSiteName>.hub.loginradius.com:443/socialauth/validate.sauth
To know the app name check the Dashboard page- https://console.loginradius.com/tenant/settings.
e.g.:https://< APP Name>.hub.loginradius.com:443/socialauth/validate.sauth and click on the save changes button
9. After configuration of the App client Navigate to the Users and groups tab and click on create a user for testing the suit.
10. On clicking the Create user button. Enter the details as required for creating the user as below screenshot.
11. After creating, the user need to note the below details to be entered in the LoginRadius Custom IDP OAuth configuration page.
Data to be used in LoginRadius:
Domain
To know the domain, kindly navigate to the App integration tab and copy the Domain
Application Key and Secrete
To know the Application Key of your client navigate to App client
To know the secret click on the Show Details button
LoginRadius IDP configuration:
1. Navigate to Platform Configuration>Authentication Configuration>Custom IDPs in admin console
2. Go to OAuth Provider and click on the Add Provider button
3. Enter the details of your IDP as follows:
1. Provider Name- Enter any desired unique name for your app, e.g., awscognito. This name will be displayed under the social login forms in the LoginRadius Identity Framework page as well as on the social login form rendered by LoginRadius V2.js library on the customer’s web application.
2. Customer Login Endpoint -Enter the Endpoint of your Amazon user pool domain as follows
Format- https://your_domain/oauth2/authorize
To know the domain follow the steps-
e.g.: https://testlr.auth.us-east-1.amazoncognito.com/oauth2/authorize
3. Access Token Endpoint-Enter the Endpoint of your Amazon user pool domain as follows
Format- https://your_domain/oauth2/token
To know the domain follow the steps-
e.g.: https://testlr.auth.us-east-1.amazoncognito.com/oauth2/token
4. Application Key- To know the Application key from Cognito follow the steps here
5. Application Secret- To know the Application secret from Cognito follow the steps here
6. Scope- email openid
7. Response Type- code
8. Customer Profile Endpoint -Enter the Endpoint of your Amazon user pool domain as follows
Format- https://your_domain/oauth2/userInfo
To know the domain follow the steps- here
e.g.: https://testlr.auth.us-east-1.amazoncognito.com/oauth2/userInfo
9. Request Token Http Method- Post
10. Header
| Key | Value |
|---|---|
| Authorization | Bearer #accesstoken# |
11. Data Mapping
Below, two fields are mandatory to create an account in LoginRadius.
| Fields | Value |
|---|---|
| ID | sub |
12. After Providing all data Click on the Save button to save the provider
To test the Custom IDP in LoginRadius:
-
Go to the App URL
https://<lrSiteName>.hub.loginradius.com/. -
Click on the icon with the Name of the social provider you are given on the login radius configuration page
-
After redirection to the Aws Cognito UI, enter the user credentials you have created in the Cognito User Pool.
-
After successful authentication, it will redirect to the profile page in the IDX.