Configure OpenID Connect with Amazon Cognito

Overview

This guide will walk you through configuring OpenID Connect authentication with Amazon Cognito for Discngine Admin Center. Once completed, users will be able to log in using their Cognito credentials.

Note: These instructions are for the new Cognito interface. Make sure you are using the "new console" user interface option.

Prerequisites

Before configuring Cognito OpenID Connect, ensure you have:

• Organisation Administrator access to Discngine Admin Center
• Access to an AWS Account
• Permissions to create and configure Cognito user pools

Register a Cognito User Pool

Step 1: Access AWS Cognito

1. Log in to the AWS Management Console
2. Search for "Cognito" in the main search field
3. Select the Cognito service
4. Choose the AWS region where you want to create your user pool

Step 2: Create User Pool

1. Click Create a user pool
2. Step 1 - Sign-in Options: Select your preferred sign-in options (e.g., Email)
3. Step 2 - Security Requirements: Configure password requirements and MFA settings
4. Step 3 - Sign-up Experience: Configure user attributes and verification
5. Step 4 - Message Delivery: Configure email and SMS settings

Step 3: Configure Pool Settings

1. Step 5 - Integrate Your App:
   • Give the user pool a name (e.g., "Discngine Users")
   • Ensure the checkbox to use hosted authentication pages is checked
   • Choose a domain for the user pool (e.g., yourcompany-discngine)

Step 4: Create App Client

Under Initial app client on Step 5:

1. Set the app type to Confidential
2. Give the client a name (e.g., "Discngine Admin Center Client")
3. Set the Callback URL to: https://account.discngine.cloud/oauth2/callback

Advanced app client settings:
4. Under Authentication flows, ensure ALLOW_USER_PASSWORD_AUTH is selected
5. Under OAuth 2.0 grant types, select Authorization code grant
6. Under OpenID Connect scopes, select OpenID
7. Check the box for your app name under Identity Providers

Step 5: Review and Create

1. Review all configuration settings
2. Click Create user pool
3. Once created, click on the user pool's name
4. Scroll to the App clients and analytics section
5. Open the created app client
6. Record both the Client ID and Client Secret (click "Show client secret" to reveal)

Step 6: Note the User Pool Details

1. In your user pool details, record the User Pool ID (e.g., us-east-2_abc123)
2. Note your AWS Region code (e.g., us-east-2)

Adding Users to Cognito

Create a Test User

1. Open your user pool
2. Navigate to the Users tab
3. Click Create user
4. Fill out all required form fields (username, email, temporary password)
5. Click Create user

Configure OpenID Connect in Discngine Admin Center

Step 1: Access Identity Providers

1. Log in to Discngine Admin Center as an Organization Administrator
2. Navigate to Settings → Identity Providers
3. Click Add Provider and select OpenID Connect

Step 2: Configure Provider Settings

Fill in the following fields:

Basic Settings:

• Name: Amazon Cognito
• Client ID: Enter the App Client ID from Cognito
• Client Authentication Method: Select HTTP Basic authentication (client_secret_basic)
• Client Secret: Enter the Client Secret from Cognito

Discovery Settings:

• Discover Endpoints: Enable this option
• Issuer URL: Use the following format:

  https://cognito-idp.<REGION>.amazonaws.com/<USER_POOL_ID>/
  

  • Replace <REGION> with your AWS region code (e.g., us-east-2)
  • Replace <USER_POOL_ID> with your Cognito User Pool ID (e.g., us-east-2_abc123)
  • Example: https://cognito-idp.us-east-2.amazonaws.com/us-east-2_abc123/

Scopes:

• Scope: openid email profile

Linking Strategy:

• Select Link on email. Create the user if they do not exist
• Note: Cognito users must have a public email address configured. Alternatively, you can link on username or create an anonymous link

Button Customization:

• Button Text: Login with Cognito (or customize as needed)
• Button Icon: Optionally add a URL to an AWS/Cognito icon

Step 3: Enable for Applications

1. Scroll down to the Applications section
2. Enable the identity provider for your desired applications
3. Toggle Create Registration to automatically register users
4. Click Save

Testing the Configuration

Step 1: Access Login Page

Navigate to https://admin-<organization-name>.discngine.cloud/

Step 2: Test Login

1. Enter your email address
2. You should see the Login with Cognito button
3. Click the button
4. You will be redirected to the Cognito hosted UI login page
5. Enter your Cognito credentials
6. If this is a first login with a temporary password, you'll be prompted to set a new password
7. After successful authentication, you'll be redirected back to Discngine Admin Center

Troubleshooting

Common Issues

Redirect URI Mismatch

• Ensure the callback URL in Cognito exactly matches: https://account.discngine.cloud/oauth2/callback
• Check that there are no trailing slashes

Issuer URL Format

• Verify the Issuer URL follows the exact format with the trailing slash
• Ensure the region code and User Pool ID are correct
• Example: https://cognito-idp.us-east-2.amazonaws.com/us-east-2_abc123/

Email Address Issues

• Cognito users must have a public email address if linking on email
• Consider using username linking strategy if email privacy is a concern
• Verify email verification settings in your Cognito user pool

User Pool Domain

• Ensure your user pool has a hosted UI domain configured
• The domain must be set up before the authentication flow will work

Authentication Flow Not Enabled

• Verify that ALLOW_USER_PASSWORD_AUTH is enabled in the app client settings

Invalid Client Secret

• Double-check that you copied the Client Secret correctly
• Client secrets are only shown once; if lost, you'll need to generate a new one

Additional Resources

• Getting Started with Cognito User Pools
• Cognito - Configuring a User Pool App Client
• AWS Cognito Documentation

Next Steps

• Return to OpenID Connect Overview