2

We have written a microservice in Amazon Web Service(AWS) and linked it to an API Gateway.

This microservice is going to be used within our organisation and we want to secure it in such a way that only the users within our organisation can access this microservice.

So, when a user triggers a request to this service, he/she should get a login screen. If and only if the user provides valid credentials, he/she should be able to access the service.

By valid credentials, we mean, username/password configured for users they use to access our existing applications.

Till now, we are thinking the solution to be in this direction:

  1. Secure API Gatweway with Authorizer, specifically, Cognito Authorizer.
  2. For the Cognito User pool used in above Authorizer, attach Identity Provider under Federation section.
  3. Use SAML for this Identity Provider.

Please let us know how to proceed further?

or

Is there a better solution?

Vaibhav Deshmukh
  • 33
  • 4

1 Answers1

3

This question has a lot of elements. To start your company size will have alot to do with the type of authentication service you use.

Using cognito user pools mean that you or your team will have to manage users in that pool and this means you would be responsible for making sure to maintain this list by cleaning and possibly monitoring the pool. Not a bad idea if you have nothing else, however, I have a company of roughly 4000 people with active directory. It did not make sense for us to maintain this list if we could utilize an existing active directory.

In the end we used Onelogin and cognito federated identities, which allowed us to connect to active directory while streamlining and centralizing user management to our IT department.

Second thing to consider, is you could use cloudfront and a vpc to limit access to you application by whitelisting up addresses. Someone with network experience should be able to do this and would remove public exposure of your application.

Based on your ideas I think you're on the right track. A note to add, using cognito federated identites has a max of a 1 hour window to use the credentials putting refreshing tokens a high priority. This is where user pools will help. With user pools reauthentication will be a breeze.

Depending on what resources you are able to access. Pick the best authentication service that either makes sense or is effective for your team. Dont pick one that will require work that is outside the reason for your app or not in your job title. Definitely use federated identities as it streamlines giving aws crdentials and is built on top of aws sts.

Let me know if you need specifics.

Rene B.
  • 6,557
  • 7
  • 46
  • 72
Jonathan de la Rosa
  • 106
  • 2