Setup AWS Cognito for IDCS SAML 2.0 IdP SSO auth

What is SAML?

Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an Identity Provider (IdP) and a Service Provider (SP). SAML 2.0 is the industry standard way to federated identity management based on Single Sign-On (SSO). SSO is a session or user authentication process that permits a user to enter the same name and password to access multiple web applications.

Identity Providers and Service Providers

A service provider is responsible for providing services to the end user.

An identity provider (IdP), on the other hand, is a company or organization that is responsible for authenticating users and managing their identities. In other words, an IdP is a provider of identity and authentication services, while an SP is a specific service provider.

Amazon Cognito enables simple, secure user authentication, authorization, and user management for web and mobile apps. With Cognito, a user or visitor can sign in with a username and password through Amazon, or through a third party like Facebook, Google, or Apple.
Thus, with Cognito, a developer can:

  • Easily add user sign-up, sign-in, and access control to their apps with its built-in user interface (UI) and easy configuration
  • Federate identities from social identity providers
  • Synchronize data across multiple devices and applications
  • Provide secure access to other AWS services from their app by defining roles and mapping users to different roles

How to setup AWS cognito for IDCS SAML 2.0 IdP SSO authentication

Federating the AWS Cognito with IDCS as the identity provider, The below diagram will explain to you the Service Provider initiated SAML 2.0 assertion SSO configuration.

Login to your AWS account and go to Cognito service.

Create a new user pool

  • Click User pools -> Create user pool
    • Cognito user pool ( Later once we generate the Idp metadata, we will enable Federated identify providers)
    • Cognito user pool sign-in options
      • Check Email (The attributes in your user pool that are used to sign in.)
    • Click Next
      • Cognito defaults (use default password policy)
      • Multi-factor authentication (MFA Recommended but if you want, go with No MFA)
    • Click Next ( leave all the default options)
    • Click Next
    • Click Next
      • Update User pool name (Your user pool name can’t be changed once this user pool is created.)
      • App client name ( Update your Application client name, in this case IDC provider to this setup)
    • Click Next and Review all the settings.

Create Cognito domain

  • Click User pool
    • Click App integration
      • Domain -> Create Cognito domain

Download signing certificate

  • Click User pool
    • Sign-in experience
      • View signing certificate and Click Download

Provide Entity ID, Assertion consumer URL to the IDC identity service provider.

Entity ID – urn:amazon:cognito:sp:You can find your user pool ID on the General settings tab in the Amazon Cognito console.

Assertion Consumer URL Format – https://.auth..amazoncognito.com/saml2/idpresponse
Copy the Cognito domain that is generated above steps and update the above format.

Signing certificate – Use the signing certificate downloaded and saved in the above steps.

Add SAML service provider application in IDCS

  • Login to the IDCS Admin console and navigate to Applications -> Add a new application
  • In the Add Application window click on SAML Application to create a new application
  • In the App Details section provide values as per the following instructions
  1. In the Name field, enter your Application Name (say Prolaborate).
  2. In the Description field, enter fewer characters to provide a description of your Prolaborate.
  3. Click Upload to add an icon for your Prolaborate application.
  4. Click on Add

SSO Configuration Tab
Click on SSO Configuration Tab to define SSO attributes.

  1.  General section of the SSO Configuration 

In the General section of the SSO Configuration page, define the following:

  1. Fill ‘Entity ID’ and ‘Assertion Consumer URL’ fields from AWS cognito Service Provider Configuration
  2. NameID Format: Select the type of format to use Email address. The service provider and the identity provider use this format to easily identify a subject during their communication.
  3. NameID Value: Select the NameID Value as Primary Email to identify the user that is logged in.
  4. Signing Certificate: Upload the .cer certificate file that is downloaded before from AWS Cognito for SAML assertion.

Attribute Configuration section of the SSO Configuration

Attribute Configuration: Expand Attribute Configuration on the SSO Configuration page to add user-specific and group-specific attributes to the SAML assertion. Click on plus(+) symbol to add the attributes.


Enter the Attribute Configuration details and Click on Save.

Download Identity Provider Metadata: Click on Download Identity Provider Metadata( keep it in your local, we need to upload this metadata to the AWS Cognito)

Click on Activate to activate the application.

Click on Users tab in your Oracle Account to assign the user

  1. Click on Assign Users button.
  2. Select the users to whom to give access and Click Ok.

Upload Identity Provider Metadata to AWS Cognito.

Go to AWS -> Cognito

  • Click your User pool
    • Click Sign-in experience
    • Add identity provider
      • Click SAML
        • Enter your Provider name
        • Upload metadata document (upload your Identity Provider Metadata XML file which was downloaded earlier from IDCS)
        • User pool attribute -> SAML attribute (email). We already updated the email attribute in the IDCS SSO configurations.
      • Click Add identity provider

You have updated all the settings. Now, Goto App Integration in the User pool.

  • App client name -> Click your application
    • Hosted UI (You should confirm Identity providers section is selected with the SAML 2.0)
    • View Hosted UI

You will get redirected to IDP login page for a challenge

Enter the email ID and password of the user in IDCS. After you are authenticated in IDCS successfully, you will be redirected to the protected page of your application.

 

Site-to-site IPsec VPN tunnel configuration in PaloAlto

A site-to-site VPN allows you to connect multiple fixed locations to establish secure connections with each other over a public network. The below setup has configured the Site-to-site IPsec VPN tunnel configuration between AWS and the on-premises datacenter in the Palo Alto firewall.

The below setup is available to configure AWS Site-to-Site VPN Step by Step and the detailed documentation.

Prerequisites:

  • Ensure you have the necessary licenses for IPSec VPN on your Palo Alto Networks firewall.
  • You must have a virtual private cloud (VPC) in AWS with an IP-CIDR that doesn’t overlap with the on-premise network. This VPC must be associated with a virtual private gateway (VGW) or attached to a transit gateway (TGW).
  • Download the pre-shared key, and encryption/authentication settings in AWS.

Download AWS site-to-site VPN configuration for PaloAlto 

Goto -> VPC -> Virtual Private Cloud-> Site-to-Site VPN connections-> Click your VPN -> Download configuration.

PaloAlto Site to Site IPsec VPN setup

The first step in the IPsec VPN tunnel creation is to configure the IKE crypto profiles and IKE gateway, IPsec crypto, IPsec Tunnel, and Security Profile.

Connect your Palo Alto management portal.

https://192.168.1.1

Create IKE Crypto Profile:

  • Go to “Network” > “Network Profiles” > “IKE Crypto”.
  • Create a new IKE Crypto Profile
  • Configure the encryption algorithm, authentication algorithm, and lifetime values according to your requirements in AWS VPN configuration file. For Example,
edit network ike crypto-profiles ike-crypto-profiles vpn-3sd422be8f65d1dfd4-0
 set dh-group group2
 set hash sha1
 set lifetime seconds  28800
 set encryption aes-128-cbc
 top

It should be like this in the configuration.

  • Add the name as vpn-3sd422be8f65d1dfd4-0
  • Choose the DH Group as group2.
  • Set the Authentication as SHA1.
  • Choose the lifetime as 28800 seconds.
  • Set the Encryption as aes-128-cbc

Configure IKE Gateway:

The details are available in the AWS VPN configuration file.

  • Go to “Network” > “IKE Gateways” and click on “Add”.
  • Provide a name for the IKE Gateway.
  • Specify the local and peer IP addresses.
  • Configure the pre-shared key, authentication method, encryption, and lifetime values.

Create IPSec Tunnel Interface:

  • Go to “Network” > “Interfaces” and click on “Create New” to add a new tunnel interface.
  • Configure the interface type as “IPSec Tunnel” and provide a name for the interface.
  • Specify the local IP address and the virtual router to be used.

Configure IPSec Tunnel Parameters:

  • Go to “Network” > “Network Profiles” > “IPSec Crypto”.
  • Create a new IPSec Crypto Profile 
  • Configure the encryption algorithm, authentication algorithm, and lifetime values according to your requirements.

Example configuration in the file.

edit network ike crypto-profiles ipsec-crypto-profiles ipsec-vpn-068a2be8f65d1dfd4-0
 set esp authentication sha1
 set esp encryption aes-128-cbc
 set dh-group group2
 set lifetime seconds 3600
top

Create IPSec Tunnel:

  • Go to “Network” > “IPSec Tunnels” and click on “Add”.
  • Provide a name for the tunnel and select the tunnel interface created in step 2.
  • Configure the local and peer IP addresses, along with the pre-shared key.
  • Select the IPSec Crypto Profile created in step above
  • Specify the local and peer encryption domains (subnets) that will be reachable over the VPN tunnel. ( create and configure the site to site VPN internal CIDR ip as interface (162.x.x.x) ip ( check in AWS 162.x.x.x./30, take that last ip to configure))

Configure Security Policies:

  • Go to “Policies” > “Security” and create a new security policy.
  • Configure the source and destination zones, addresses, and services.
  • Specify the action as “Allow” and the VPN tunnel as the egress interface.

Creating Static Routes

Under Network > Virtual Routers, click Add

Add tunnel networks—> Click Static Routes -> Add Tunnel Interfaces

Verify and Monitor:

  • Go to “Monitor” > “IPSec Tunnels” to view the status of the VPN tunnels.
  • Verify the tunnel status, traffic statistics, and any error messages.

See both the Tunnel turned from RED to green.

Create the above steps for all the tunnels that you required from AWS.

Testing The Site-to-Site

Validate the SSH access to the AWS public and Private host.

These steps outline the basic configuration for Site-to-Site IPSec VPN on the Palo Alto Networks firewall. Make sure to adapt them to your specific network requirements and consult Palo Alto Networks documentation or support for further assistance.

 

AWS Site-to-Site VPN Configuration Step by Step

AWS Site-to-Site VPN allows secured connectivity between AWS resources and the on-premises network such as a data center or a branch office.

AWS Site-to-Site VPN provides two tunnels per connection, using the virtual private gateway or the AWS Transit Gateway. The virtual private gateway provides connectivity to a single Amazon Virtual Private Cloud (Amazon VPC) in a Region. The transit gateway provides connectivity to multiple Amazon VPCs in a region as well as to the internet.

The setup basically wants to connect the AWS VPC network to our on-prem Paloalto firewall. I have used the below steps to complete the entire site to site VPN connection.

VPC in AWS with Private and Public Subnet.

We have created a VPC with private and public subnets. The Internet access to the private subnet is disabled within vpc and public subnet has Internet access right out of the AWS cloud.

Create Customer Gateway (CGW)

Customer Gateway (CGW) represents a physical device or a software application that is managed in your on-premises network.

  • Get the Public IP of the Customer Gateway.

The IP address may be connected to the internet directly, or it may be connected to a NAT device, and if the IPsec device might be behind the NAT device. In that case you need to get the public IP address of your NAT device.

  • Goto VPC console.
  • Under Virtual Private Network, Click on Customer Gateways.
  • Click on Create customer gateway.
    • Enter a name for your CGW.
    • IP Address: Enter the Public IP address that you received from the on-prem network engineer.
    • Certificate ARN: You need to select this when you use Certificate-based IPsec VPN. However, in most deployments, we choose the pre-shared key so you can leave the Certificate ARN settings.
    • Device: Enter the name of your on-prem network device, For example, Palo Alto, Cisco ASA or Fortinet etc, this is again optional though.

Create Transit Gateway

A transit gateway is a network transit hub that you can use to interconnect your virtual private clouds (VPCs) and on-premises networks.

  • Goto VPC console.
  • Click Transit gateways
  • Click Create transit gateway
    • set to Name
    • Enable DNS support, Default route table association, Default route table propagation and Configure cross-account sharing options if you want.
    • CIDR – optional

Transit gateway attachment

A transit gateway enables you to attach VPCs and VPN connections in the same Region and route traffic between them. A transit gateway works across AWS accounts, and you can use AWS RAM to share your transit gateway with other accounts.

  • Click Transit gateway attachments
  • Click Create transit gateway attachment
    • set to Name
    • Transit gateway ID ( Select your Transit Gateway)
    • Attachment type (Select VPC)
    • VPC ID ( choose your VPC)

Create a Site-to-Site VPN connection

With the CGW and the TGW that we created, we will now create the site-to-site VPN on our AWS VPC.

  • Under Virtual Private Networks.
  • Click Site-to-Site VPN connections
  • Create VPN connection
    • set to Name
    • Target gateway type
      • Click Transit gateway
      • Select your transit gateway
    • Customer gateway
      • Click Existing and choose your CGW
    • Routing options ( note : we used static routing to configure the firewall, Dynamic required some BGP configurations.)
    • Tunnel inside IP version ( IPv4)
    • Local IPv4 network CIDR – optional
    • Remote IPv4 network CIDR – optional
    • Outside IP address type (PublicIpv4)
    • Click Create VPN connection
  • Under Tunnel Options, you can leave everything default. In case if you want to add your pre-shared key, you can do that here.

As you can see, there are two tunnel information, which means AWS will create two tunnels to your on-prem network. One is the primary and then the secondary.

Update the route propagation on the routing table.

We need to make sure when the tunnel comes up. The remote route propagated automatically into the routing table. This means that route 10.2.1.0/24 and 192.2.0.0/16 should appear on both private and public subnet routing tables pointing to the VPN gateway.

  • Click Transit gateway route tables
  • Create transit gateway route table
    • set to Name
    • Transit gateway ID ( select your transit gateway)
  • Select Route Table
    • click Routes Tab
    • Create static route
      • 10.2.0.0/16 ( select your transit gateway attachment)
      • 192.2.0.0/16 ( select your transit gateway attachment)

Go back to the Virtual Private Network.

Click on site to site VPN connections.

Select your VPN and Click Tunnel details.

You should see the VPN Tunnel state is up or down.

You can create some EC2 instances and attach them to two different Transit Gateway Route tables and then propagate routes across and test the access. There are various use cases such as a shared services VPC having access to all other VPCs across different environments, providing access from Customer VPCs towards the Management or Infrastructure VPC for accessing various services.

We have completed the AWS site-to-site VPN configuration.