View a markdown version of this page

Configure Cognito - Workload Discovery on AWS
Manage users via Cognito user poolManage users via third-party IdP

Configure Cognito

Workload Discovery on AWS uses Amazon Cognito to manage authentication. You can create users directly in the Cognito user pool or you can use a third-party IdP using SAML or OIDC.

Manage users via Cognito user pool

On deployment, the solution creates a user for you and sends an email to the address provided in the AdminUserEmailAddress CloudFormation parameter with temporary credentials. To add more users follow these steps.

Create additional users:

  1. Sign in to the AWS Cognito console.

  2. Choose Manage User Pools.

  3. Choose WDCognitoUserPool- <ID-string>.

  4. In the navigation pane, under General Settings, choose Users and groups.

  5. On the Users tab, choose Create user.

  6. On the Create user box, enter values for all required fields.

    Form Field Required? Description

    Username

    Yes

    The username that you will use to log in to Workload Discovery on AWS.

    Send an invitation

    Yes (email only)

    When selected, sends a notification as a reminder of the temporary password. Select Email only. If you select SMS (default), an error message displays, but the user is still created.

    Temporary Password

    Yes

    Enter a temporary password. The user is forced to change this when they sign in to Workload Discovery on AWS for the first time.

    Phone Number

    No

    Enter a phone number in international format, for example, \+44. Ensure that the Mark phone number as verified? box is selected.

    Email

    Yes

    Enter a valid email address. Ensure that the Mark email as verified? box is selected.

  7. Choose Create user.

Repeat this process to create as many users as you need.

Note

Every user will have the same level of access to resources discovered. We recommend provisioning a separate deployment of Workload Discovery on AWS for accounts that contain sensitive workloads or data. This allows you to restrict access to only the users that need it.

Manage users via third-party IdP

You can set up user sign-in with an OIDC IdP or a SAML IdP.

Set up user sign-in with an OIDC IdP

  1. Set up an OIDC client application in your IdP according to your provider’s documentation. You will require the following values:

    Field Name Value Description

    Redirect URI

    https:// <cognito-hostname> .auth.<wd-region>.amazoncognito.com/oauth2/idpresponse

    <cognito-hostname> can be any value and will be used later

  2. The OIDC IdP will provide you with a OIDC discovery URL, client ID and a client secret. Note these values.

  3. Sign in to the AWS CloudFormation console.

  4. Select the main Workload Discovery on AWS stack and choose Update.

  5. On the Update stack page, select Use existing template.

  6. Update the following CloudFormation parameters:

    Field Name Value Description

    UsesCustomIdentity

    Yes

    Confirmation of whether on not you will be using a custom identity provider, such as SAML or OIDC.

    CognitoCustomDomain

    <cognito-hostname>

    The domain prefix for the Amazon Cognito custom domain that hosts the sign-up and sign-in pages for your application. This must match the hostname (not the full URL) in the Redirect URI value from step 1.

    IdentityType

    OIDC

    The type of Identity Provider to use

    ProviderName

    <any-value>

    Name for the Identity Provider.

    OIDCIssuerURL

    <oidc-discovery-url>

    The OIDC discovery URL noted in step 2.

    OIDCClientId

    <client-id>

    The client ID noted in step 2.

    OIDCClientSecret

    <client-secret>

    The OIDC discovery URL noted in step 2.

    CognitoAttributeMapping

    <valid-json-value>

    The mapping of IdP attributes to standard and custom Cognito user pool attributes such as email.

    OIDCAttributeRequestMethod

    GET or POST

    The OIDC attribute request method to use.

  7. Choose Next.

  8. On the Review page, review and confirm the settings. Select the boxes acknowledging that the template creates IAM resources and requires certain capabilities.

  9. Choose Update stack to deploy the stack.

Set up user sign-in with a SAML IdP

  1. Sign in to the AWS CloudFormation console.

  2. Choose View nested to display the nested stacks that make up the deployment. Depending on your preferences, nested stacks might already be displayed.

  3. Select the Workload Discovery on AWS Amazon Cognito stack. It will be named <wd-stack-name> -CognitoStack- <ID-string>.

  4. Select the Outputs tab and note the ID in the Value column associated with the UserPoolId key.

  5. Configure your SAML IdP to accept requests and send responses to your user pool. The documentation for your SAML IdP will contain information about how to add your user pool as a relying party or application for your SAML 2.0 IdP. You will require the following values:

    Field Name Value Description

    SP entity ID

    urn:amazon:cognito:sp: <UserPoolId>

    The URN for the Cognito userpool

    ACS URL

    https:// <cognito-hostname> .auth.<wd-region>.amazoncognito.com/saml2/idpresponse

    <cognito-hostname> can be any value and will be used later

  6. Download SAML metadata from your IdP, or retrieve the URL to your metadata endpoint.

  7. Return to the CloudFormation console.

  8. Select the main Workload Discovery on AWS stack and choose Update.

  9. On the Update stack page, select Use existing template.

  10. Update the following CloudFormation parameters:

    Field Name Value Description

    UsesCustomIdentity

    Yes

    Confirmation of whether or not you will be using a custom identity provider, such as SAML or OIDC.

    CognitoCustomDomain

    <cognito-domain-value>

    The domain prefix for the Amazon Cognito custom domain that hosts the sign-up and sign-in pages for your application. This must match the hostname (not the full URL) in the ACS URL value from step 5.

    IdentityType

    SAML

    The type of Identity Provider to use

    ProviderName

    <any-value>

    Name for the Identity Provider.

    SAMLMetadataURL

    <saml-metadata-url>

    The SAML metadata URL retrieved from step 6.

    CognitoAttributeMapping

    <valid-json-value>

    The mapping of IdP attributes to standard and custom Cognito user pool attributes such as email.

  11. Choose Next.

  12. On the Review page, review and confirm the settings. Select the boxes acknowledging that the template creates IAM resources and requires certain capabilities.

  13. Choose Update stack to deploy the stack.