Configure External Authentication using Azure Active Directory

InfinStor service uses a Cognito User Pool for authenticating users. This Cognito User Pool may be configured to use external authentication databases. Examples of such databases are:

  • Google Oauth2
  • Azure Active Directory using SAML2

This page describes, in detail, the process for configuring your InfinStor service instance to use Azure Active Directory as a SAML2 authentication provider

Step by Step configuration

First, add a new Enterprise Application to Azure Active Directory Service. In the screen capture below, press the '+ New applicattion' button

Select '+ Create your own application'

Provide a suitable name for your new Enterprise Application. In this example, the name used is infinstor

Once this new Enterprise Application has been created, click on '1. Assign users and groups' and choose users who will have access to the InfinStor platform

Next, configure the new Enterprise Application for Single Sign On. In this example, we use SAML.

There are two parameters that you need to obtain for configuring Single Sign On - the Identifier (Entity ID) and the 'Reply URL'. These are the first two items in the following screen capture

Back in the AWS Console, go to the CloudFormation console and click on the infinstor-cognito nested stack. Look at the outputs tab. The two entries of interest here are the SamlEntityId entry and the SamlReplyUrl entry

Copy the SamlEntityId from the AWS Cloudformation Console and enter it into the Identifier (Entity ID) entry of Azure Active Directory Enterprise Application SAML Single Sign On config page. Do the same for SamlReplyUrl

Click on the 'Federation Metadata XML' Download button

Go back to the AWS Console, browse to Cognito, Manage User Pools and choose the infinstor-service-subscribers User Pool. Click on 'Identity Providers' and choose SAML. Choose the Metadata xml file that you downloaded from Azure Active Directory

Choose 'App client settings' subsection in the 'App integration' title and check the 'Select all' checkbox of 'Enabled Identity Providers' for all the App clients

You can now login using Azure Active Directory credentials