Moped Documentation
  • Welcome 👋
  • User Guides
    • Getting started
    • Map a project
  • Product Management
    • User communication
    • User management
    • User analytics
    • Local testing
    • Release process
    • Patch release process
    • MUI X Pro License
    • Integrations
      • Dataset documentation
      • ArcGIS Online
      • eCapris
      • Power BI
    • Features
  • Dev Guides
    • DB Docs & Data dictionary
    • Database backup policy
    • Moped Read Replica
    • How-to's
      • How do I start the Hasura cluster locally?
      • How do I launch the Hasura Console?
      • How do I get a JWT token?
      • How to ping the GraphQL API
      • How to ping the REST API
      • How do I connect a database with Postgres GUIs?
      • How do I connect to the RDS instance?
      • How to load production data into a local instance
      • How do I update seed data?
    • Hasura
      • Hasura Roles
      • Hasura Migrations
        • Getting Started
        • Installing the Hasura CLI
        • Configuration Files
        • Hasura Migration Principles
        • The Migration file format
        • Development
        • Hasura Seed Data
        • Running the Hasura Cluster Locally (video)
        • Create a migration: Exercise 1 (video)
        • Create a migration: Exercise 2 (video)
        • Latest hasura-cluster features
    • User Management
    • Authentication
      • Authentication Architecture
      • DynamoDB & Cognito
      • Secrets Manager & Cognito
      • Hasura & Cognito
      • React & Cognito
      • Flask API & Cognito
      • Single Sign-On with CTM
    • Code organization
    • API
      • Configuration Files
      • Testing
      • User Management API
    • Maps and geospatial data
      • Access tokens and API keys
      • Map libraries
      • Map data
      • Map styles
      • Map layers and basemaps
      • React patterns
      • V1 Archive
        • Map libraries
        • Map data
        • Map custom hooks
        • Map styles
        • Map layers and basemaps
    • UI access control
    • Design system
      • Branding
      • Component styles
      • Text content
    • Activity Log
      • Architecture
      • GitHub Actions and Deployment of Updates
      • Hasura Event Logs and Truncate Cron Job
      • Authentication
  • See also
  • Get Moped support, report a bug, or request an enhancement
  • Data & Technology Services
  • Github repository
Powered by GitBook
On this page
  • Important Links
  • Set up in AWS
  • Final Notes

Was this helpful?

  1. Dev Guides
  2. Authentication

Single Sign-On with CTM

PreviousFlask API & CognitoNextCode organization

Last updated 3 months ago

Was this helpful?

Initially, Michael Shanks created the Active Directory application in Azure for us. I found Active directory to be completely empty, so I had to make some initial adjustments for the two environments (production and staging). If you need access to the application settings, please feel free to reach out to him and ask him for ownership permission.

Important Links

Production Setting Links

Name: ATD - Mobility Project Database - Production

Enterprise application management:

Outdated Azure AD Application settings link:

https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/SignOn/objectId/6c5f8303-a03b-4855-8822-fbd1d8e8367f /appId/8ab9e10b-e6c9-42f4-996b-ddd9d0d5def8/menuItemId/Overview Note: Under the “overview” you’ll have to select “Single sign-on” to see SSO configurations.

App Federation URL:

https://login.microsoftonline.com/5c5e19f6-a6ab-4b45-b1d0-be4608a9a67f/federationmetadata/2007-06/federationmetadata.xml? appid=8ab9e10b-e6c9-42f4-996b-ddd9d0d5def8

Login Url:

https://login.microsoftonline.com/5c5e19f6-a6ab-4b45-b1d0-be4608a9a67f/saml2

Azure AD Identifier:

https://sts.windows.net/5c5e19f6-a6ab-4b45-b1d0-be4608a9a67f/

Staging Setting Links

Name: ATD - Mobility Project Database - Dev

Enterprise application management:

Outdated Azure AD Application settings link:

https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Overview/appId/85f11cae-9763-4338-a494-e1d4a8beea0e /objectId/d9d0e209-4d36-4cae-bd70-99112879e228 Note: Under the “overview” you’ll have to select “Single sign-on” to see SSO configurations.

App Federation URL:

https://login.microsoftonline.com/5c5e19f6-a6ab-4b45-b1d0-be4608a9a67f/federationmetadata/2007-06/federationmetadata.xml? appid=85f11cae-9763-4338-a494-e1d4a8beea0e

Login Url:

https://login.microsoftonline.com/5c5e19f6-a6ab-4b45-b1d0-be4608a9a67f/saml2

Azure AD Identifier:

https://sts.windows.net/5c5e19f6-a6ab-4b45-b1d0-be4608a9a67f/

Other Resourceful Links

IDP Authentication - AWS/SAML-specific: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp.html

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp-authentication.html

Set up in AWS

Whenever inside of Cognito, you can go to the Identity providers section where you will see the SAML option enabled. Within the SAML settings, you will see the metadata URL that links Cognito to AzureAD. You may be able to edit the existing active provider as shown below as ctm-azure-ad by clicking in the pencil icon. That simply configures Cognito to reach out to CTM's AzureAD's user base.

Within azure AD you would simply provide AWS's federation link.

We need to have at least two things:

The identifier (Entity ID)

The Reply URL (Assertion Consumer Service URL)

The Identifier (Entity ID) To begin with, we must must copy the Cognito Pool ID, and paste it in this format:

urn:amazon:cognito:sp:

For production, the identifier looks like this:

urn:amazon:cognito:sp:us-east-1_Zc3pNWX51

The Reply URL The reply URL comes in this format:

https://.auth..amazoncognito.com/saml2/idresponse

In our case, it looks like this for production:

https://atd-moped-production.auth.us-east-1.amazoncognito.com/saml2/idresponse

Once you save the settings, it looks like this in production:

This should be enough to get started, AWS is linked to AzureAD and AzureAD is linked to Cognito.

Testing your settings

At first you may use cognito's UI, no need to implement javascript. To do so, you need these specific links:

Using your own links for production, you can use these links:

For access-token login:

https://<COGNITO URL>/login?response_type=token&client_id=&redirect_uri=

For a code-based login (preferred):

https://<COGNITO URL>/login?response_type=code&client_id=&redirect_uri=

Production example access token login:

The last two links only show the patterns, to make use of them you can try this:

https://atd-moped-production.auth.us-east-1.amazoncognito.com/login?response_type=token&client_id=ins01e2a8d3vd8apvnd0jv10c&redirect_uri=https://mobility.austin.gov/moped/session/signin

Production example code login (preferred):

https://atd-moped-production.auth.us-east-1.amazoncognito.com/login?response_type=code&client_id=ins01e2a8d3vd8apvnd0jv10c&redirect_uri=https://mobility.austin.gov/moped/session/signin

For staging:

https://atd-moped-staging.auth.us-east-1.amazoncognito.com/login?response_type=token&client_id=3u9n9373e37v603tbp25gs5fdc&redirect_uri=https://moped.austinmobility.io/moped/session/signin

https://atd-moped-staging.auth.us-east-1.amazoncognito.com/login?response_type=code&client_id=3u9n9373e37v603tbp25gs5fdc&redirect_uri=https://moped.austinmobility.io/moped/session/signin

Redirect URI Warning

For SSO, the redirect URI needs to be listed in the allowed urls list in cognito (App client page).

Final Notes

This should cover the general overview on how to set up SSO with SAML in AWS Cognito. For additional instructions on how exactly the JavaScript internals work, visit the code base and AWS Amplify documentation:

Entra Enterprise Application Settings
Entra Enterprise Application settings
https://d1.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf
https://docs.amplify.aws/lib/auth/getting-started/q/platform/js/
https://docs.amplify.aws/lib/auth/getting-started/q/platform/js/