This guide contains step-by-step instructions on how to setup Amazon Cognito, through the Amazon console, with the required configurations for a successful integration with ModelOp Center.
...
Create a user pool and the gateway-service app client
Open the Amazon Cognito console. If prompted, enter your AWS credentials
In the upper left corner, choose “User pools”
In the upper right corner, choose “Create user pool”
Step 1: Configure sign-in experience
Provider types: ”Cognito user pool”
Cognito user pool sign-in options: Choose
User name
Email
User name requirements: Make your selection based on your company policy
Step 2: Configure security requirements
Password policy: Make your selection based on your company policy
Multi-factor authentication: “No MFA”
Use account recovery:
Choose “Enable self-service account recovery - Recommended”
Delivery method for user account recovery messages: Choose “Email only”
Step 3: Configure sign-up experience
Self-registration: Make your selection based on your company policy
Cognito-assisted verification and confirmation: Make your selection based on your company policy
Verifying attribute changes: Make your selection based on your company policy
Required attributes: Select
name
given_name
family_name
email
Step 4: Configure message delivery
Email: Make your selection based on your company policy or choose “Send email with Cognito”
Step 5: Integrate your app
User pool name: Enter a name for your user pool
Hosted authentication pages: Choose “Use the Cognito Hosted UI”
Domain: Choose “Use a Cognito domain” and enter a domain prefix
Initial app client:
App type: Choose “Confidential Client”
App client name: Enter
gateway-service
Client secret: Choose “Generate a client secret”
Allowed callback URLs: Enter
<ModelOp Center URL>/login/oauth2/code/gateway-service
Advanced app client settings:
Authentication flows: Selected default values
Refresh token expiration: Any
Access token expiration: 480 minutes
ID token expiration: 480 minutes
Advanced security configurations: Choose
Enable token revocation
Prevent user existence errors
Identity providers: Choose “Cognito user pool”
OAuth2 2.0 Grant Types: Select “Authorization code grant”
OpenID Connect scopes: Select
OpenID
Email
Profile
Allowed sign-out URL: Enter
<ModelOp Center URL>/
Step 6: Review and create
Review the user pool configuration and choose “Create user pool”
...
Create a resource server
Open the Amazon Cognito console. If prompted, enter your AWS credentials
In the upper left corner, choose “User pools”
Choose your existing user pool
Choose “App integration”
Choose “Create resource server”
Resource server:
Enter a resource server name
Enter a resource server identifier of
rs
Custom scopes: Enter a scope name of
modelop_client
Choose “Create resource server”
...
Create the internal-client app client
Open the Amazon Cognito console. If prompted, enter your AWS credentials
In the upper left corner, choose “User pools”
Choose your existing user pool
Choose “App integration”
Choose “Create app client”
App client
App type: “Confidential client”
App client name: Enter
internal-client
Client secret: Choose “Generate a client secret”
Authentication flows: Selected default values and
ALLOW_USER_PASSWORD_AUTH
Refresh token expiration: Any
Access token expiration: 480 minutes
ID token expiration: 480 minutes
Advanced security configurations: Select
Enable token revocation
Prevent user existence errors
Hosted UI settings
Allowed callback URLs: None
Allowed sign-out URLs - optional: None
Identity providers: Select “Cognito user pool”
OAuth 2.0 Grant Types: Select “Client credentials”
Custom scopes: Select
rs/modelop_client
Attribute read and write permissions: Selected default values
Choose “Create app client”
...
Create the external-integration-client app client
Open the Amazon Cognito console. If prompted, enter your AWS credentials
In the upper left corner, choose “User pools”
Choose your existing user pool
Choose “App integration”
Choose “Create app client”
App client
App type: “Public client”
App client name: Enter
external-integration-client
Client secret: Choose “Don’t generate a client secret”
Authentication flows: Selected default values
Refresh token expiration: Any
Access token expiration: 480 minutes
ID token expiration: 480 minutes
Advanced security configurations: Select
Enable token revocation
Prevent user existence errors
Hosted UI settings
Allowed callback URLs: Enter:
<ModelOp Center URL>/jupyterOauth2ImplicitGrant.html
<ModelOp Center URL>/modelOpWDC.html
https://oauth.powerbi.com/views/oauthredirect.html
Allowed sign-out URLs - optional: None
Identity providers: Select “Cognito user pool”
OAuth 2.0 Grant Types: Select “Implicit grant”
OpenID Connect scopes: Select
OpenID
Email
Profile
Custom scopes: None
Attribute read and write permissions: Selected default values
Choose “Create app client”
Additional notes
...
Create Amazon Cognito users
Open the Amazon Cognito console. If prompted, enter your AWS credentials
In the upper left corner, choose “User pools”
Choose your existing user pool
Choose “Users”
Choose “Create user”
User information
Alias attributes used to sign in: Choose
User name
Email
Invitation message: Choose “Don't send an invitation”
User name: Enter a user name
Email address - optional: Enter an email address
Select “Mark email address as verified”
Temporary password: Choose “Set a password”
Password: Enter a temporary password
Choose “Create user”
...
Create Amazon Cognito groups
Open the Amazon Cognito console. If prompted, enter your AWS credentials
In the upper left corner, choose “User pools”
Choose your existing user pool
Choose “Groups”
Choose “Create group”
Group information
Group name: Enter a group name
Choose “Create group”
...
Assign Amazon Cognito user to an Amazon Cognito group
Open the Amazon Cognito console. If prompted, enter your AWS credentials
In the upper left corner, choose “User pools”
Choose your existing user pool
Choose “Groups”
Choose an existing group
Choose “Add user to group”
Choose an existing user
Choose “Add”