Configure Amazon Cognito for the OIDC SSO Module
1 Introduction
Amazon Cognito is a secure, scalable customer identity and access management platform. The OpenID Connect (OIDC) SSO module allows end-users of your Mendix app to login via Single Sign-on (SSO) using the OIDC protocol.
This how-to describes the steps required to enable your app to use the OIDC SSO module with Amazon Cognito as the identity provider.
2 Configuring Amazon Cognito
To configure Amazon Cognito for the OIDC SSO module, follow these steps:
-
Optional: If you are using the AWS test environment with Amazon Cognito set as the user pool, you must verify the email addresses by doing the following steps:
-
Create a user pool for Amazon Cognito by doing the following steps:
-
In the Amazon Console, open the Amazon Cognito service.
-
Select the region where you want to create the user pool, and then click Create user pool.
-
Follow the Create user pool wizard to configure the sign-in and sign-up, security requirements, and message delivery.
-
In the Integrate your app step of the wizard, enter a name for your user pool and leave the other settings as default.
-
Review and create the user pool.
-
-
Add users to the user pool by doing the following steps:
-
Configure the app integration by doing the following steps:
-
Go to the App integration tab of the user pool that you created.
-
In the App clients and analytics section, click Create app client.
-
On the Create app client page, configure the following settings:
- App type - Public client
- App client name - Enter a descriptive app client name
- Client secret - Select Generate a client secret
- Authentication flows - Select ALLOW_USER_PASSWORD_AUTH
- Authentication flow session duration - Enter a value from 3 to 15
- Allowed callback URLs - Enter a URL in the following format:
https://<your-app-url>/oauth/v2/callback
- Allowed sign-out URLs - This setting is optional, and you may leave it blank
- Identity providers - Select Cognito user pool
- OAuth 2.0 grant types - Select Authorization code grant
-
Save your changes.
-
Open the app client that you created.
-
In the App client information section, copy the Client ID and the Client secret, and save them in a secure location.
-
Go back to the user pool that you created.
-
On the App integration tab, in the Domain section, copy the Cognito domain and save it in a secure location.
-
3 Configuring the Required Settings in Your Mendix App
After you configure the necessary settings in Amazon Cognito, you must add the endpoint URLs to your Mendix app, and then add a button to sign in with Amazon Cognito.
-
In your Mendix app, configure a new OIDC client, as described in OIDC SSO: OIDC Client Configuration. Make sure to configure the following settings:
- Alias - Enter a descriptive name to identify your app
- Client ID - Enter the app client ID that you obtained from the user pool in Amazon Cognito
- Client secret - Enter the client secret that you obtained from the user pool in Amazon Cognito
- Client authentication method - Select client_secret_post
- Automatic Configuration URL - Enter a URL in the following format:
https://cognito-idp.{the region where you created the user pool}.amazonaws.com/{your user pool ID}/.well-known/openid-configuration
For more information, see User pool OIDC and hosted UI API endpoints reference.
-
Click Import Configuration to automatically fill the other endpoints.
-
Click Save.
-
Add an Amazon Cognito sign in button to a page in your app.
You can achieve this by adding the ACT_StartWebSignIn_Default nanoflow to the button. For more information about creating custom buttons, see Creating a Custom Save Button with a Microflow.
Users who are part of the user pool you created in Amazon Cognito can now log in with their Amazon Cognito user name and password.