Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Identity broker

Amazon external IDP

search
printsuggest an edit

Amazon external IDP

Login with Amazon (LWA) lets you protect your customer information by leveraging the user authentication system used by Amazon.com. Login with Amazon is based on OAuth 2.0.

The Amazon social connection lets users log in to your application using their Amazon profile.

copy link to clipboardRegister for Login with Amazon

Before you can use LWA on a website, you must register a security profile through the Developer Console. During registration, you’ll be asked to provide the name of your application, your logo, and a link to your privacy policy. Users will see this information each time they use Login with Amazon on your website or mobile app.

Amazon describes the LWA registration process.

copy link to clipboardPrerequisites

This process requires:

copy link to clipboardCreate a security profile at Amazon

Skip this section if you have already created a security profile in the Amazon Developer Console.

  1. Visit the Amazon Developer Console.

    You are asked to log in to the Developer Console, which handles application registration for Login with Amazon. If this is your first time using the Developer Console, you are asked to set up an account.

  2. Click Create a New Security Profile, which takes you to the Security Profile Management page.

    1. Enter a Name and a Description for your security profile.

      A security profile associates user data and security credentials with one or more related apps. The Name is the name displayed on the consent screen when users agree to share information with your application. This name applies to Android, iOS, and website versions of your application.

    2. Enter a Consent Privacy Notice URL for your application.

      The Privacy Notice URL is the location of your company or application's privacy policy (for example, http://www.example.com/privacy.html). This link is displayed to users on the consent screen. It applies to Android, iOS, and website versions of your application.

    3. To add a Consent Logo Image for your application, click Upload Image.

      This logo is displayed on the sign-in and consent screens to represent your business or website. It applies to Android, iOS, and website versions of your application. The logo is shrunk to 50 pixels in height if it is taller than 50 pixels. There is no limitation on the width of the logo.

  3. Click Save.

copy link to clipboardAdd your website to your security profile at Amazon

  1. Go to the Web Settings of the security profile that you want to use for your app.

    1. Locate the security profile that you want to modify from the table.

    2. Hover over the :gear: button button shown in the Manage column.

    3. Select the Web Settings menu item.

  2. Click Edit.

  3. To use Login with Amazon with a website, you must specify the 88 and Allowed Return URLs.

    1. Add your Allowed Origins: https://<tenant-domain>

    2. Add your Allowed Return URLs, which looks like: https://<tenant-domain>/broker/authentication/callback.

  4. Click Save.

copy link to clipboardCopy the credentials

  1. You can find the credentials on the Security Profile Management page, on the Web Settings tab.

  2. Copy the Client ID.

  3. Click Show secret and copy the Client secret.

copy link to clipboardConfigure LWA in the Identity Broker

  1. Click Add identity provider and select OAuth.

Typically, you fill out the following identity provider details:

  • Display name: Amazon (just an example)
  • Active: Select the check box
  • Client ID: The Client ID that you copied
  • Authentication method: Client secret post
  • PKCE: Do not select the check box
  • Client secret: The Client secret that you copied
  • Authorization endpoint: https://www.amazon.com/ap/oa
  • Token endpoint: https://api.amazon.com/auth/o2/token
  • Issuer: https://www.amazon.com
  • User attributes endpoint and https://api.amazon.com/user/profile
  • JWKs URI: Empty
  • Signature type: Asymmetric
  • Identity provider signing certificate: Empty
  • Encrypted JWT: Do not select the check box
  • Single logout: Do not select the check box
  • Mutual TLS keystore key pair: Empty
  • Mutual TLS truststore certificate: Empty

copy link to clipboardVariant

You always need at least one variant. For LWA, you only need to configure a variant name, such as Authentication.

For scopes, Thales recommends profile, profile:user_id, or postal_code. For more information, see customer profile.

On this page