[Legacy] Amazon Web Services Cognito (AWS Cognito)

This guide is for an older version of Kantega SSO Enterprise and is no longer maintained. New guides are here: https://kantega-sso.atlassian.net/l/c/rNTaTonz .

This guide takes you through the steps of setting up AWS login to the following Atlassian applications:

  • Jira SERVER DATA CENTER

  • Confluence SERVER DATA CENTER

  • Bitbucket SERVER DATA CENTER

  • Bamboo SERVER

  • Fisheye / Crucible SERVER

 

You find a link to the Atlassian Marketplace in the upper right corner of your Atlassian application. Click Manage apps and search for "Kantega." Click "Free trial" or "Buy now" to install the app.

 

 

Add identity provider

A welcome message is shown when you select to configure the app for the very first time. Click "Start setup" and then "Setup SAML / OIDC".

Select "AWS Cognito" in the identity provider gallery.

AWS Cognito allows you to set up single sign-on over the OpenID Connect protocol.

Click "Next." Follow the setup steps below.

1. Select provisioning method

The Atlassian applications need to have information about users logging in and their permissions. At this wizard step, we choose whether the user and permission data already exist when users log in with SSO or if user records should be created dynamically (just-in-time provisioning).

You can also specify whether users logging in through AWS Cognito should be added as members to a set of default groups automatically.

Select provisioning method, default groups, and click "Next."

*Jira specific example. Other Atlassian applications will be similar.

2. Callback URL

The field "Callback URL" will be needed when configuring your identity provider. Copy this URL value (We will make use of this in the next step)

3. Configure identity provider

Log in as an admin user to https://console.aws.amazon.com.

Use the search field to navigate to the Cognito service.

Click "Manage User Pools".

Click the user pool you wish to configure. If you do not have one, follow the Amazon tutorial on creating a user pool.

If you wish to use Just-In-Time provisioning (depending on your choice in Step 1), you must select both email and name as required attributes upon creation of the user pool. You can not change attribute options for a pool after it has been created.

In the menu, click "App clients" and then "Add an app client."

Add an app client name. E.g., "Jira." (You can leave the rest as-is.)

Click "Create app client."

App credentials

Copy the "App client id."

Click "Show Details." Then copy the "App client secret."

We will use the App client id and secret later in the setup.

Configure the app client

In the left-hand menu, click "App client settings."

Under Enabled Identity Providers, select relevant identity providers. In our example, we select all providers.

In the "Callback URL(s)" field, enter the callback URL value that we copied from the prepare step in the Kantega SSO wizard.

Under Allowed OAuth Flows, check "Authorization code grant."

Under Allowed OAuth Scopes, check email, openid, and profile.

Click "Save changes."

Pool Id

In the left-hand menu, click "General settings." Copy the "Pool Id." We will use this value later.

4. Import metadata

Type in the region and user pool id from AWS Cognito into the import step of the Kantega SSO wizard. Click "Next."

5. Identity provider name

Fill in a name for your configuration. By default, this is "AWS Cognito. Click "Next"

6. Client id and secret

In this step, we will take the copied App client id and secret values (see instructions above) and paste them into the Secrets step of the Kantega SSO wizard.

7. Summary

Validate your setup and click "Finish."

8. Test and verify setup

On the next page, you will be given a link to perform a test of your setup.

The test verifies that users are allowed to authenticate with the current configuration, and you get feedback on whether the current user is found in the Atlassian application. You are also able to fix user lookup issues (selecting the right username attribute and express username transformation rules), and select data attributes for just-in-time provisioning here. More info about testing av verifying identity provider configurations.

9. Redirection mode

By default, Kantega SSO Enterprise will forward all users to the configured identity provider. However, you can configure both a subset of users who should be login through this identity provider and how they are redirected. More about the configuration of redirection rules.