Search
Close this search box.
Table of Contents

Tutorial: Enable Amazon Cognito MFA for a Web Application through Datawiza Access Proxy

4 minutes read
amazon cognito mfa
Table of Contents

Preview

In this tutorial, you’ll learn to implement Amazon Cognito MFA (multi-factor authentication ) and SSO (single sign-on) for a web application via the Datawiza Access Proxy (DAP). Here, the web application will operate on localhost:9902 while DAP will function on localhost:9772, receiving traffic to the app before proxying it to the application.

Part I: Amazon Cognito MFA Configuration

Before delving into the procedure, we first create an app client on the Amazon Cognito console from which we derive values such as Client ID, Client Secret, Issuer, and Domain needed for configuring the Datawiza Cloud Management Console (DCMC).

  • Client ID
  • Client Secret
  • Issuer
  • Domain

Create a User Pool

Log in to the AWS Console account. Search Cognito in the search bar:

Amazon Cognito SSO and MFA | Search Cognito

 

Click Create a user pool:

Amazon Cognito SSO and MFA | Create User Pool

Check username and email, and then click Next:

Amazon Cognito SSO and MFA | User Pool Config

To proceed, verify that Authentication Apps is selected as your MFA method. Ensure that all settings are left as their defaults, and then click Next:

Amazon Cognito SSO and MFA | Cognito MFA Methods

If you want the Datawiza Access Proxy to pass more attributes, you can select the additional attributes here, and then click Next:

Amazon Cognito SSO and MFA | Cognito Required Attributes

Choose Send email with Cognito and then click Next:

Amazon Cognito SSO and MFA | Cognito Message Delivery

Input the User pool name:

Amazon Cognito SSO and MFA | User Pool Name

Choose app type as Confidential client, and input the App client name, then click Next:

Amazon Cognito SSO and MFA | Initial App Client

Review all your settings and click the Create user pool:

Amazon Cognito SSO and MFA | Cognito User Pool

Now, you have successfully created the app client. Note down the Pool ID:

Amazon Cognito SSO and MFA | User Pool ID

The Issuer we required is in the form of https://cognito-idp.${AWS-REGION}.amazonaws.com/${Pool_ID}. For example, it should be https://cognito-idp.us-west-1.amazonaws.com/us-west-1_JnFFmhMb5 for our test app client.

Click the App Integrated tab and scroll down to the bottom of the page. Click the client app you just created:

Amazon Cognito SSO and MFA | App Client

Note down the App Client ID and App Client secret:

Amazon Cognito SSO and MFA | App Client ID and Secret

Click the Edit Hosted UI. Input Callback URL(s), which should be http://localhost:9772/datawiza/authorization-code/callback and choose Cognito user pool for Identity Providers. For OAuth 2.0 grant types, select Authorization code grant. For OpenID Connect scopes, select Email, OpenID, and Profile. Then click Save changes.

Amazon Cognito SSO and MFA | Cognito Hosted UI

Amazon Cognito SSO and MFA | Cognito Hosted UI

Select Domain, input the Domain prefix, and note down the whole domain. It is the Domain we required:

Amazon Cognito SSO and MFA | Cognito Domain

Users and Groups

User

Select Users and Groups, and click Create User. Input the basic information, then click Create User:

Amazon Cognito SSO and MFA | Create User

Groups (Optional)

Select the Groups tab and click Create group, Input the basic information, then click Create group:

Amazon Cognito SSO and MFA | Create Group

Click the group we just created, then click Add user to group:

Amazon Cognito SSO and MFA | Add User to Group

Add the user:

Amazon Cognito SSO and MFA | Add User to Group

Part II: Create an Application on Datawiza Cloud Management Console (DCMC)

Sign in to the Datawiza Cloud Management Console.

Click the orange button Getting started.

Amazon Cognito SSO and MFA | DCMC

Specify a Name and a Description, and click Next.

Amazon Cognito SSO and MFA | Create Deployment

Configure your application with the following values:

Property Value
App Type Web
Name Enter a unique application name. For example, you can use the WebApp.
Application URL Application URL that end users will visit.

For example: https://WebApp.example.com

For testing, you can use localhost DNS. Here we use http://localhost:9772

Listen Port The port that DAP listens on. Here we use the 9772.
Upstream Servers The URL and port of your web app. We have a pre-built header-based app in DAP for testing purposes, which uses port 9902, so put http://localhost:9902.

Amazon Cognito SSO and MFA | Create App

Select Next.

On the Configure IdP dialog, enter the relevant information. Input the IdP name. Select OIDC as Protocol and Cognito as Identity Provider. Enter all the information from Part I.

Amazon Cognito SSO and MFA | Create IdP

Select Create.

Part III: Run the DAP with the Sample Web Application “WebApp”

To launch DAP, Docker is a prerequisite. We offer a Quick Start guide for Docker installation and DAP deployment depending on your OS.

Amazon Cognito SSO and MFA | Deploy DAP

After executing the needed steps, the Datawiza Access Proxy should be up and running.

Part IV: Test the Application with Amazon Cognito MFA Enabled

Open a browser and type in http://localhost:9772/. The login page of the Amazon Cognito should be shown:

Amazon Cognito SSO and MFA | Cognito Login Page

If this is your first time logging in, after entering your username/password, you need to complete the Amazon Cognito MFA configuration:

Amazon Cognito SSO and MFA | Cognito MFA Setup

Then you should be able to log in successfully and see the homepage of the WebApp.

Amazon Cognito SSO and MFA | WebApp

Conclusion

This tutorial walked you through the way to enable Amazon Cognito SSO and MFA for a web app using Datawiza. 

This is only a small sampling of what Datawiza can do. See Datawiza’s online docs or official website for much more information. You can also get a free trial by signing up/in here!

Written by the Datawiza team — hope you enjoyed! Join us if you have any questions or need any help on our Discord server.