Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Configure CRDP with identity providers

Configure AWS as IdP

search

Please Note:

Configure AWS as IdP

This article provides the steps required to set up Amazon Cognito as an Identity Provider (IdP), which would be helpful for creating applications that require JWT verification.

Requirements

  • An active AWS account

  • Access to the Cognito service to get the JWT token

Creating the JWT Token

  1. Go to the Amazon Cognito console. If prompted, enter your AWS credentials.

  2. Click Create user pool.

  3. Authentication providers screen appears. Select Cognito user pool under Provider types, check Email under Cognito user pool sign-in options, and click Next.

  4. Password policy screen appears. Select Cognito defaults under Password policy mode, select No MFA under MFA enforcement, keep the default options under User account recovery, and click Next.

  5. Configure sign-up experience screen appears. Keep all the default options, select name and other attributes in Additional required attributes under Required attributes, and click Next.

  6. Configure message delivery screen appears. Select Send email with Cognito in Email and click Next.

  7. Integrate your app screen appears. Enter the User pool name, check Use the Cognito Hosted UI under Hosted authentication pages.

  8. In the Domain section, select Use a Cognito domain, and enter the domain name.

  9. In the Initial app client section, enter the App client name, and select Generate a client secret under Client secret.

  10. Enter the URL https://oauth.pstmn.io/v1/callback under Allowed callback URLs and select authentication flows as ALLOW_USER_PASSWORD_AUTH under Advanced app client settings.

  11. In the Identity providers section, select identity providers as Cognito user pool, select OAuth 2.0 grant types as Authorization code grant and Implicit grant under OAuth 2.0 grant types. Select OIDC scopes as OpenID, Phone, and Email under OpenID Connect scopes, and click Next.

  12. Review and create page appears. Review all your settings and click Create user pool.

  13. Click the newly created pool and select the User tab, and click Create user.

  14. In the User Information section, enter the email address, check Mark email address as verified, set a password for the user, and click Create user.

  15. Select the App Integration tab on the pool detailed information page and click App client name.

  16. Go to the Hosted UI section and click View Hosted UI.

  17. Sign up page appears. Enter the email address and password, which you have set earlier, and you will be prompted to change the password. After changing the password, the message Your call is authenticated appears, which means authentication is completed.

  18. Open Postman and create a new request. Select OAuth 2.0 under Authorization Type and select Request URL under Add authorization data to.

  19. Go to the Configure New Token section, fill the necessary fields, and click Get New Access Token. It will ask for credentials. After entering the correct credentials, Authentication complete screen appears, which will disappear automatically after 5 seconds, and will generate the required tokens id_token, access_token or refresh_token. The id_token is required as JWT.

    • Token Name: Provide any token name.

    • Grant Type: Select Authorization code or Implicit.

    • Callback URL: Enter the value https://oauth.pstmn.io/v1/callback.

    • Auth URL: /oauth2/authorize.

    • Access Token URL: /oauth2/token.

    • ClientID: Copy the value from App client information page.

    • Client Secret: Copy the value from App client information page.

    • Scope: Keep it as empty.

    • State: Keep it as empty.

    • Client Authentication: Select Send as Basic Auth Header.

      Note

      For Grant Type as Implicit, the Access Token URL and Client Secret options are not required, rest are the same.

  20. Decode the id_token using https://jwt.io/, you will get the issuer name in the iss field of the payload. Copy the kid from the header section, go to newly created pool information page, click Token signing key URL to get the list of JWK keys, and search for the kid. After getting the used JWK key, convert it into the PEM format using https://8gwifi.org/jwkconvertfunctions.jsp. These fields are required while setting up the CRDP application.

Calling the CRDP APIs

  1. Create a CRDP application with JWT verification enabled on the CipherTrust Manager using the public key and issuer, which you got in the above steps. Create a protection policy, access policy, and user sets, which will be used in the CRDP APIs.

  2. Select the Authorization tab, select Type as Bearer Token, and enter the value of JWT token.

  3. Run the CRDP APIs to get the response.

On this page