Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Restrict login to Enterprise Google Domain for AWS Federated Identity Pool

Tags:

amazon-web-services

google-oauth

amazon-cognito

aws-amplify

google-domain-api

I'm using a federation identity pools with aws-amplify (https://aws.github.io/aws-amplify/media/authentication_guide#enabling-federated-identities) and I'd like to restrict the scope of domains to just my google domain organization (ex. [email protected]).

There doesn't seem to be a way to lock it down on either the Google API console or the AWS Cognito Identity Pool settings, just a hint that an hd parameter can be appended to the google request to restrict it by domain (which would still require modifying the aws-amplify core package), and it still wouldn't be secure since anyone could just make the same request without the hd and gain access to cognito.

My question is this: is there a way to restrict a google oauth key to only allow @foobar.com email addresses, or to implement the same restriction with aws cognito?

like image 649
Ben Balentine Avatar asked Jun 28 '18 18:06

Ben Balentine

People also ask

Which public identity providers can I use with Amazon Cognito identity Amazon facebook twitter digits Google other OpenID connect compatible identity provider?

Q: Which public identity providers can I use with Amazon Cognito Identity? You can use Amazon, Facebook, Twitter, Google and any other OpenID Connect compatible identity provider.

Which public identity providers can I use with Amazon Cognito identity?

You can use federation to integrate Amazon Cognito user pools with social identity providers such as Facebook, Google, and Login with Amazon. To add a social identity provider, you first create a developer account with the identity provider.

Can Cognito act as IdP?

Amazon Cognito supports authentication with identity providers (IdPs) through Security Assertion Markup Language 2.0 (SAML 2.0). You can use an IdP that supports SAML with Amazon Cognito to provide a simple onboarding flow for your users. Your SAML-supporting IdP specifies the IAM roles that your users can assume.

Why federate user identities between Google Cloud and Active Directory?

By federating user identities between Google Cloud and your existing identity management system, you can automate the maintenance of Google identities and tie their lifecycle to existing users in Active Directory. Setting up federation between Active Directory and Cloud Identity or Google Workspace entails two pieces:

How can I limit authentication for cloud identity and Google workspace users?

Limit authentication by creating new Cloud Identity or Google Workspace user accounts only for users that need them and are known to not have an existing consumer account.

How to federate AWS with Google Apps SSO?

The federated user clicks the Google Apps SSO link to AWS in their browser. If the user has not already logged in, he will go to the Google Apps account login portal.

How to federate with Google workspace domains?

To federate with Google Workspace domains, use SAML/WS-Fed identity provider federation. Important

1 Answers

I believe I found a solution (from several quick tests it seems to be working fine)

Don't try to control the hosted domain part via the Trust Relationship in the Role.

  • Go to: Cognito / Edit Identity Pool / Authentication Providers

  • Select Google+

  • In "Authenticated role selection" select "Choose role with Rules"

  • Now require claim "hd" to be "equals" to <your-domain>

  • set "Role resolution" to "DENY"

Source: https://forums.aws.amazon.com/thread.jspa?messageID=527303

Here's a cloudformation stack to set everything (identity pool, roles, etc.) in one go. YOU NEED TO MAKE THE NECESSARY ADJUSTMENTS at all places marked with an EDIT HERE: comment.

AWSTemplateFormatVersion : 2010-09-09
Description : "An Identity Pool stack which uses Google for sign-in"


Resources:
  IdentityPool:
    Type: AWS::Cognito::IdentityPool
    Properties:
      IdentityPoolName: identity_pool_a
      AllowUnauthenticatedIdentities: false
      SupportedLoginProviders: 
        # EDIT HERE:
        "accounts.google.com": "11111111111-22222222222222222222222222222222.apps.googleusercontent.com"

  IdentityForbiddenRole:
    Type: AWS::IAM::Role
    Properties:
      MaxSessionDuration: 3600
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow 
            Principal:
              Federated: "cognito-identity.amazonaws.com"
            Action:
              - "sts:AssumeRoleWithWebIdentity"
            Condition:
              StringEquals: 
                "cognito-identity.amazonaws.com:aud": !Ref IdentityPool
              ForAnyValue:StringLike:
                "cognito-identity.amazonaws.com:amr": unauthenticated
      Policies:
        - PolicyName: None
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Deny
                Action: "*"
                Resource: "*"

  IdentityAllowedRole:
    Type: AWS::IAM::Role
    Properties:
      MaxSessionDuration: 3600
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Federated: "cognito-identity.amazonaws.com"
            Action:
              - "sts:AssumeRoleWithWebIdentity"
            Condition:
              StringEquals: 
                "cognito-identity.amazonaws.com:aud": !Ref IdentityPool
              ForAnyValue:StringLike:
                "cognito-identity.amazonaws.com:amr": authenticated
      Policies:
        - PolicyName: UserPermissions
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                # EDIT HERE:
                Action: "s3:GetObject"
                # EDIT HERE:
                Resource: "arn:aws:s3:::my-bucket/*"

  RoleAttachment:
    Type: AWS::Cognito::IdentityPoolRoleAttachment
    Properties:
      IdentityPoolId: !Ref IdentityPool
      Roles: 
        unauthenticated: !GetAtt IdentityForbiddenRole.Arn
        authenticated: !GetAtt IdentityForbiddenRole.Arn
      RoleMappings: 
        accounts.google.com:
          AmbiguousRoleResolution: Deny
          Type: Rules
          RulesConfiguration:
            Rules:
              - Claim: hd
                MatchType: Equals
                # EDIT HERE:
                Value: mydomain.com
                RoleARN: !GetAtt IdentityAllowedRole.Arn
like image 186
Itay Maman Avatar answered Oct 13 '22 01:10

Itay Maman
Sign in to Comment

Related questions

Is there any way to get the Cognito username in AWS Lambda?
dynamodb attribute name compression
"Message":"Your request: '/_cluster/allocation/reroute' is not allowed."}
Amazon Polly Implementation Using PHP SDK
How to CloudWatch Laravel logs deployed in AWS Elastic Beanstalk?
Send a notification by Lambda function with AWS Pinpoint
AWS ATHENA: user-defined variables
Changing "Origin Path" in CloudFront takes very long to kick in
Connecting Athena and S3 in same Cloudformation Stack
Access denied on S3 PUT request with pre-signed URL
What is the impact if my service exceeds 100% "Service CPU utilization"
AWS ApiGateway customize Request Validation Response
Invoking aws Step function from java lambda
How to move AWS Elasticsearch into another account
aws - Uploading a string as file to a S3 bucket
How do get a simple localstack/localstack to work with node.js
Configure dynamoDb stream to invoke lambda function only on delete
How to Install aws-sam-cli in ubuntu 14?
AWS Elastic Beanstalk Environment termination failing due to non-existent RDS
AWS Athena + S3 limitation

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!