Skip to content
Datawiza DocsDatawiza Docs
Ask Questionsopen in new window
Homeopen in new window
Sign Upopen in new window
  • Overview
    • Architecture
      • Prerequisites
        • Upgrading
            • Secure a Web App Using Auth0
              • Secure a Web App Using Azure AD
                • Secure a Web App Using Azure AD B2C
                  • One Click Integration With Azure AD
                    • Secure a Web App Using Azure AD SAML
                      • Secure a Web App Using Cognito
                        • Preview
                          • Part I: Cognito Configuration
                            • Part II: Create Application on Datawiza Cloud Management Console (DCMC)
                              • Part III: Run DAP With a Header-Based Application
                                • Part IV: Pass User Attributes to the Header-Based App
                                  • Part V: Achieve Granular Access Control
                                    • A Rule Example
                                  • Secure a Web App Using Github
                                    • Secure a Web App Using Google
                                      • Secure a Web App Using Google Workspace (previously G Suite)
                                        • Secure a Web App Using Keycloak
                                          • Secure a Web App Using Okta
                                            • Secure a Web App Using Okta SAML
                                              • Secure a Web App Using PingOne
                                                • Secure a Web App Using Twitter
                                                  • Deploy Datawiza Access Proxy with a Web App using Kubernetes
                                                    • Deploy Datawiza Access Proxy using Helm
                                                      • Secure Multiple Web Apps Using Different IdPs
                                                        • Secure a Web App Using Multiple IdPs
                                                          • Enable B2B Single Sign-On (SSO) for a SaaS Application
                                                          • FAQ

                                                            Secure a Web App Using Cognito

                                                            timer iconAbout 2 min

                                                            On This Page
                                                            • Preview
                                                            • Part I: Cognito Configuration
                                                            • Part II: Create Application on Datawiza Cloud Management Console (DCMC)
                                                            • Part III: Run DAP With a Header-Based Application
                                                            • Part IV: Pass User Attributes to the Header-Based App
                                                            • Part V: Achieve Granular Access Control
                                                              • A Rule Example

                                                            # Enable SSO and Granular Access Control For A Header-Based Web App with Cognito

                                                            # Preview

                                                            In this Cognito tutorial, we will use the Datawiza Access Proxy (DAP) to enable SSO and granular access control for a header-based web App. The IdP we will use is Cognito. We will use DAP's side deployment mode, which means DAP and this app are running on the same server.

                                                            • The application will run on localhost:3001.
                                                            • The DAP will run on localhost:9772, which means the traffic to the app will reach DAP (running on port 9772) first and then be proxied to the application (running on port 3001).
                                                            • We will provide the docker images of the DAP and this header-based application.

                                                            # Part I: Cognito Configuration

                                                            You will need to register an app client in the Cognito console and get the following values for this app:

                                                            • Client ID
                                                            • Client Secret
                                                            • Issuer
                                                            • Domain

                                                            These values will later be used to set up Datawiza Access Proxy in Datawiza Cloud Management Console. Please follow IdP Configuration Guide: Cognito instructions on how to get those keys/values.

                                                            # Part II: Create Application on Datawiza Cloud Management Console (DCMC)

                                                            You need to create an application and generate a keypair of (PROVISIONING_KEY, PROVISIONING_SECRET) for this app on the DCMC.

                                                            Please follow Step2 : Datawiza Cloud Management Console to configure.

                                                            # Part III: Run DAP With a Header-Based Application

                                                            You can use either Docker or Kubernetes to run DAP. The following is an example docker-compose.yml file. You may need to login to our container registry to download the images of DAP and the header-based app. See Step3 : Configure DAP and SSO Integration for more details or Deploy DAP with Kubernetes for Kubernetes-specific instructions.

                                                            version: '3'
                                                            
                                                            services:
                                                              datawiza-access-broker:
                                                                image: registry.gitlab.com/datawiza/access-broker
                                                                container_name: datawiza-access-broker
                                                                restart: always
                                                                ports:
                                                                  - "9772:9772"
                                                                environment:
                                                                  PROVISIONING_KEY: #############################
                                                                  PROVISIONING_SECRET: #############################
                                                            
                                                              header-based-app:
                                                                image: registry.gitlab.com/datawiza/header-based-app
                                                                container_name: ab-demo-header-app
                                                                restart: always
                                                                ports:
                                                                  - "3001:3001"
                                                            
                                                            1
                                                            2
                                                            3
                                                            4
                                                            5
                                                            6
                                                            7
                                                            8
                                                            9
                                                            10
                                                            11
                                                            12
                                                            13
                                                            14
                                                            15
                                                            16
                                                            17
                                                            18
                                                            19

                                                            After executing docker-compose -f docker-compose.yml up, the header-based app should have SSO enabled with Cognito. Open a browser and type in http://localhost:9772/. You should see the Cognito login page as follows. DAP with Cognito Input the username and password we created in IdP Configuration Guide: Cognito, we will be asked to change the password and enter the given name and family name: DAP with Cognito Then the header-based app will show up: DAP with Cognito

                                                            # Part IV: Pass User Attributes to the Header-Based App

                                                            DAP gets user attributes from IdP and can pass the user attributes to the application via header or cookie.

                                                            Please follow the instructions of Step4 : Pass User Attributes to pass the user attributes to the header-based app, which is expecting:

                                                            • email
                                                            • firstname
                                                            • lastname
                                                            • groups

                                                            After successfully configuring the user attributes, you should see the green check sign for each of the user attributes as follows. Cognito with DCMC attributes

                                                            # Part V: Achieve Granular Access Control

                                                            You can configure access control to an application based on user's attributes (e.g., groups, department) and other metadata of a request (e.g., URL, IP, http method, access time).

                                                            Please reference Step5 : Achieve Granular Access Control for detailed instructions on how to set up access rules. You can practice the rule configuration using the following example.

                                                            # A Rule Example

                                                            1. Create a user in Cognito, put the user in hr group.

                                                            2. Create the following two rules:

                                                            • hr path can only be accessed by hr group.
                                                            • sales path can only be accessed by sales group.
                                                            1. Verify that the user you created can only access hr page in the header-based app, but cannot access sales page. Trying to access the header-based application on localhost:9772 in your browser, you should get something similar to the following screenshots.

                                                            Cognito ExampleCognito Example Access Forbidden

                                                            Prev
                                                            Secure a Web App Using Azure AD SAML
                                                            Next
                                                            Secure a Web App Using Github
                                                            You can also reach us on Discord
                                                            Copyright © 2022 Datawiza Technologies Inc