在 AWS API Gateway 中单点登录
[英]Single Sign on in AWS API Gateway
问题描述
We have written a microservice in Amazon Web Service(AWS) and linked it to an API Gateway.
我们在 Amazon Web Service (AWS) 中编写了一个微服务并将其链接到 API 网关。
This microservice is going to be used within our organisation and we want to secure it in such a way that only the users within our organisation can access this microservice.此微服务将在我们的组织内使用,我们希望以这样一种方式保护它,即只有我们组织内的用户才能访问此微服务。
So, when a user triggers a request to this service, he/she should get a login screen.因此,当用户触发对该服务的请求时,他/她应该会看到一个登录屏幕。 If and only if the user provides valid credentials, he/she should be able to access the service.当且仅当用户提供有效凭据时,他/她才应该能够访问该服务。
By valid credentials, we mean, username/password configured for users they use to access our existing applications.有效凭据是指为他们用来访问我们现有应用程序的用户配置的用户名/密码。
Till now, we are thinking the solution to be in this direction:到目前为止,我们正在考虑朝这个方向解决的问题:
- Secure API Gatweway with Authorizer , specifically, Cognito Authorizer .使用Authorizer保护 API Gatweway,特别是Cognito Authorizer 。
- For the Cognito User pool used in above Authorizer, attach Identity Provider under Federation section.对于上述授权方中使用的 Cognito 用户池,在联合部分下附加身份提供者。
- Use SAML for this Identity Provider.对此身份提供者使用SAML 。
Please let us know how to proceed further?请让我们知道如何进一步进行?
or或者
Is there a better solution?有更好的解决方案吗?
1 个解决方案
解决方案1
2 已采纳 2018-02-09 10:35:05
This question has a lot of elements.这个问题有很多元素。 To start your company size will have alot to do with the type of authentication service you use.开始您的公司规模将与您使用的身份验证服务类型有很大关系。
Using cognito user pools mean that you or your team will have to manage users in that pool and this means you would be responsible for making sure to maintain this list by cleaning and possibly monitoring the pool.使用 cognito 用户池意味着您或您的团队必须管理该池中的用户,这意味着您将负责通过清理和可能监控池来确保维护此列表。 Not a bad idea if you have nothing else, however, I have a company of roughly 4000 people with active directory.如果你没有别的东西,这不是一个坏主意,但是,我有一个大约 4000 人的公司,拥有活动目录。 It did not make sense for us to maintain this list if we could utilize an existing active directory.如果我们可以利用现有的活动目录,那么维护这个列表对我们来说没有意义。
In the end we used Onelogin and cognito federated identities, which allowed us to connect to active directory while streamlining and centralizing user management to our IT department.最后,我们使用了 Onelogin 和 cognito 联合身份,这使我们能够连接到活动目录,同时将用户管理简化和集中到我们的 IT 部门。
Second thing to consider, is you could use cloudfront and a vpc to limit access to you application by whitelisting up addresses.要考虑的第二件事是,您可以使用 cloudfront 和 vpc 通过将地址列入白名单来限制对您的应用程序的访问。 Someone with network experience should be able to do this and would remove public exposure of your application.具有网络经验的人应该能够做到这一点,并且会删除您的应用程序的公开曝光。
Based on your ideas I think you're on the right track.根据您的想法,我认为您走在正确的轨道上。 A note to add, using cognito federated identites has a max of a 1 hour window to use the credentials putting refreshing tokens a high priority.要补充的一点是,使用 Cognito 联合身份最多有 1 小时的窗口来使用凭据,从而将刷新令牌置于高优先级。 This is where user pools will help.这是用户池将提供帮助的地方。 With user pools reauthentication will be a breeze.有了用户池,重新认证将变得轻而易举。
Depending on what resources you are able to access.取决于您可以访问的资源。 Pick the best authentication service that either makes sense or is effective for your team.选择对您的团队有意义或有效的最佳身份验证服务。 Dont pick one that will require work that is outside the reason for your app or not in your job title.不要选择需要在您的应用程序之外或不在您的职位范围内的工作。 Definitely use federated identities as it streamlines giving aws crdentials and is built on top of aws sts.绝对使用联合身份,因为它简化了 aws 凭据的提供,并且构建在 aws sts 之上。
Let me know if you need specifics.如果您需要具体信息,请告诉我。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.