Tutorial: Enable Amazon Cognito MFA for a Web Application through Datawiza Access Proxy

Preview
In this tutorial, you’ll learn to implement Amazon Cognito MFA (multi-factor authentication ) and SSO (single sign-on) for a web application via the Datawiza Access Proxy (DAP). Here, the web application will operate on localhost:9902 while DAP will function on localhost:9772 , receiving traffic to the app before proxying it to the application.
Part I: Amazon Cognito MFA Configuration
Before delving into the procedure, we first create an app client on the Amazon Cognito console from which we derive values such as Client ID, Client Secret, Issuer, and Domain needed for configuring the Datawiza Cloud Management Console (DCMC).
- Client ID
- Client Secret
- Issuer
- Domain
Create a User Pool
Log in to the AWS Console account. Search Cognito in the search bar:

Click Create a user pool:

Check username and email , and then click Next :

To proceed, verify that Authentication Apps is selected as your MFA method. Ensure that all settings are left as their defaults, and then click Next :

If you want the Datawiza Access Proxy to pass more attributes, you can select the additional attributes here, and then click Next :

Choose Send email with Cognito and then click Next :

Input the User pool name :

Choose app type as Confidential client , and input the App client name , then click Next :

Review all your settings and click the Create user pool :

Now, you have successfully created the app client. Note down the Pool ID :

The Issuer we required is in the form of https://cognito-idp.${AWS-REGION}.amazonaws.com/${Pool_ID} . For example, it should be https://cognito-idp.us-west-1.amazonaws.com/us-west-1_JnFFmhMb5 for our test app client.
Click the App Integrated tab and scroll down to the bottom of the page. Click the client app you just created:

Note down the App Client ID and App Client secret :

Click the Edit Hosted UI . Input Callback URL(s) , which should be http://localhost:9772/datawiza/authorization-code/callback and choose Cognito user pool for Identity Providers . For OAuth 2.0 grant types , select Authorization code grant . For OpenID Connect scopes, select Email , OpenID , and Profile . Then click Save changes .


Select Domain , input the Domain prefix , and note down the whole domain. It is the Domain we required:

Users and Groups
User
Select Users and Groups , and click Create User . Input the basic information, then click Create User :

Groups (Optional)
Select the Groups tab and click Create group , Input the basic information, then click Create group :

Click the group we just created, then click Add user to group :

Add the user:

Part II: Create an Application on Datawiza Cloud Management Console (DCMC)
Sign in to the Datawiza Cloud Management Console.
Click the orange button Getting started.

Specify a Name and a Description , and click Next .

Configure your application with the following values:
| Property | Value |
|---|---|
| App Type | Web |
| Name | Enter a unique application name. For example, you can use the WebApp . |
| Application URL | Application URL that end users will visit. For example: https://WebApp.example.com For testing, you can use localhost DNS. Here we use http://localhost:9772 |
| Listen Port | The port that DAP listens on. Here we use the 9772. |
| Upstream Servers | The URL and port of your web app. We have a pre-built header-based app in DAP for testing purposes, which uses port 9902, so put http://localhost:9902 . |

Select Next.
On the Configure IdP dialog, enter the relevant information. Input the IdP name. Select OIDC as Protocol and Cognito as Identity Provider . Enter all the information from Part I.

Select Create.
Part III: Run the DAP with the Sample Web Application “WebApp”
To launch DAP, Docker is a prerequisite. We offer a Quick Start guide for Docker installation and DAP deployment depending on your OS.

After executing the needed steps, the Datawiza Access Proxy should be up and running.
Part IV: Test the Application with Amazon Cognito MFA Enabled
Open a browser and type in http://localhost:9772 /. The login page of the Amazon Cognito should be shown:

If this is your first time logging in, after entering your username/password, you need to complete the Amazon Cognito MFA configuration:

Then you should be able to log in successfully and see the homepage of the WebApp.

Conclusion
This tutorial walked you through the way to enable Amazon Cognito SSO and MFA for a web app using Datawiza.
This is only a small sampling of what Datawiza can do. See Datawiza’s online docs or official website for much more information. You can also get a free trial by signing up/in here !



