AWS re:Invent 2016: Add User Sign-In, User Management, and Security to your Mobile and Web...
-
Upload
amazon-web-services -
Category
Technology
-
view
157 -
download
0
Transcript of AWS re:Invent 2016: Add User Sign-In, User Management, and Security to your Mobile and Web...
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Tim Hunt, Sr. Product Manager – Amazon Cognito
Vikram Madan, Sr. Product Manager – Amazon Cognito
Ravi Tiyyagura, Senior Director – Asurion
11/30/2016
Add User Sign-In, User Management, and
Security to your Mobile and Web
Applications with Amazon Cognito
Identity is mission critical for your applications
SecurityRevenue
Generation
Application
Backbone
Know your users
Monitor engagement
with your application
Store and manage
user data
Personalize your
users’ experiences
Protect sensitive data
Secure business-
critical processes
User Identity
Developing Auth Infrastructure is Difficult
• Need to develop a reliable user directory to manage identities
• Handling user data and passwords and protecting privacy
• Prioritizing scalability of your infrastructure upfront
• Implementing token-based authentication
• Support for multiple social identity providers
• Federation with corporate directories for B2E applications
1
2
3
5
6
4
Amazon Cognito Identity
Corporate
OIDC
Sign in with
Your User Pools
You can easily and securely add sign-up
and sign-in functionality to your mobile and
web apps with a fully-managed service that
scales to support 100s of millions of users.
Federated Identities
Your users can sign in with third-party
identity providers, such as Facebook and
SAML providers, and you can control
access to AWS resources from your app.
SAML
Sign in
Username
Password
Submit
Comprehensive Support for Identity Use Cases
Amazon Cognito: Identity Management Scenarios
Business to Consumer
IoT Scenarios
Business to Employee
SAML
FederationEnterprise
Directory
Partner A
Partner B
Business to Business
AWS IoT
API Gateway with Lambda
Deny
Allow
Custom
Authorizer
Access control for AWS
Resources
AWS IAM
Your User Pools
Add user sign-up and sign-
in easily to your mobile and
web apps without worrying
about server infrastructure
Serverless Authentication
and User Management
Verify phone numbers and
email addresses and offer
multi-factor authentication
Enhanced Security
Features
Launch a simple, secure,
low-cost, and fully managed
service to create and
maintain a user directory
that scales to 100s of
millions of users
Managed User Directory
1 2 3
Comprehensive User Flows
Email or Phone
Number Verification
Forgot Password
User Sign-Up and
Sign-In
Require users to verify their email address or phone number prior to activating
their account with a one-time password challenge
Provide users the ability to change their password when they forget it with a one-
time password challenge
Allow users to sign up and sign in using an email, phone number, or username
(and password) for your application.
User Profile Data Enable users to view and update their profile data – including custom attributes
SMS Multifactor
AuthenticationRequire users to complete a second factor of authentication by inputting a
security code received via SMS as part of the sign-in flow
Customize these User Flows Using Lambda
Token Based
AuthenticationUse JSON Web Tokens (JWTs) based on OpenID Connect (OIDC) and OAuth
2.0 standards for user authentication in your backend
Custom User Flows Using Lambda Hooks
9
Category Lambda Hook Example Scenarios
Custom
Authentication
Flow
Define Auth Challenge Determines the next challenge in a custom auth flow
Create Auth Challenge Creates a challenge in a custom auth flow
Verify Auth Challenge Response Determines if a response is correct in a custom auth flow
Authentication
Events
Pre Authentication Custom validation to accept or deny the sign-in request
Post Authentication Event logging for custom analytics
Sign-Up
Pre Sign-up Custom validation to accept or deny the sign-up request
Post Confirmation Custom welcome messages or event logging for custom analytics
Messages Custom Message Advanced customization and localization of messages
Custom Auth Flow
Cognito User Pools
Custom Authentication Challenges(e.g., CAPTCHA, passworldless auth, custom 2nd factors)
1
2 5
6
3
4
Extensive Admin Capabilities
Define Custom
Attributes
Set per-App
Permissions
Set up Password
Policies
Create and manage
User Pools
Define custom attributes for your user profiles
Set read and write permissions for each user attribute on a per-app basis
Enforce password policies like minimum length and requirement of certain
types of characters
Create, configure, and delete multiple user pools across AWS regions
Require Submission
of Attribute DataSelect which attributes must be provided by the user prior to completion of
the sign-up process
Search UsersSearch users based on a full match or a prefix match of their attributes
through the console or Admin API
Manage UsersConduct admin actions, such as reset user password, confirm user, enable
MFA, delete user, and global sign-out
Remembered Devices
Remember the devices
associated with your users
1
How do I reduce the friction
that my users face when
having to complete the 2nd
factor challenge on every sign-
in?
How do I build logic to
associate devices with my
users to achieve my specific
business requirements?
2
Importing Existing Users
Import users into your Cognito user pool by uploading .csv files
Users will create a new password when they first sign-in
Each imported user must have an email address or a phone number
Your User Pools and Amazon API Gateway
Native Support Custom Authorizer Function
Control access to your APIs using bearer
token authentication strategies, such as
OAuth or SAML – API Gateway’s custom
authorizer feature uses bearer tokens to
determine access privileges
Configure API Gateway to accept ID tokens
to authorize users based on their existence
in a user pool – User Pools works together
with API Gateway to authorize API requests
1 2
Federate with Third Party Identity Providers
Username
Password
Sign In
SAML
Identity Provider
Example: Active
Directory with ADFS
Amazon Cognito2. Get AWS credentials
API Gateway
Your APIsDynamoDB S3
Lambda
Example Use Case: Asurion
Ravi Tiyyagura, Sr. Director, Enterprise Architecture
Asurion empowers people to make the most of the
technology in their life
Recover
Get you back up and running
when you’re without your device
Soluto Support
Make sure you’re never held
back by technology
Enjoy!
Help you unlock new value from
your devices & applications
© Asurion 2016. All rights reserved
Asurion’s continuous innovation is helping 290M customers globally
stay connected while driving loyalty to our partners’ brands
• Founded in the mid 1990’s, Asurion has been serving the communications and retail industries for over 20 years
• Based in Nashville, Tennessee, Asurion has over 17,000 associates worldwide
• Serving more then 290 million consumers globally through our operations in 18 countries:
• Asurion is privately-held with annual revenues in excess of $5.8 billion
• Our management team comes from best-in-class companies with experience across mobile, wireline telecom, logistics, insurance, service
contracts, consulting, customer care, marketing, retail and more
• Asurion partners with the worlds leading mobile carriers, retailers cable satellite and cable providers.
North America
• Global Headquarters
• 15 Corporate Owned
Call Centers
• Logistics Center
South America
• 2 Corporate Offices
Europe
• 3 Corporate Offices
• 1 Corporate Owned Call Center
Asia Pacific
• 13 Corporate Offices
• Logistics Center
• 2 Corporate Owned
Call Centers
• Australia
• Brazil
• Canada
• China/Hong-Kong
• Colombia
• England
• France
• Israel
• Japan
• Korea
• Malaysia
• Mexico
• Philippines
• Peru
• Singapore
• Taiwan
• Thailand
• United States
Expanding Global Presence
Corporate Overview
Asurion Use Case• 40 million identities for Asurion mobile applications
• 2 million authentication requests per day
• Need for a global and highly available B2C IAM service - North America, Europe, APAC
• Ability to customize Sign-Up and Sign-In workflow
Asurion
Mobile
Apps
Asurion
Websites
API
Gateway
Endpoints on
Amazon EC2
Asurion Private
CloudAmazon
CloudFront AWS Lambda
functions
Cognito
AWS Direct
Connect
V
Key ServersAPI Gateway
Backend AWS ServicesAWS
IAM
API calls
WAF
Why Asurion Selected Amazon Cognito
• Scalable service with global presence
• Support for wide variety of Identity models
• Custom: Cognito Sign-In, Developer Identities
• 3rd party: Amazon, Facebook, Google, Twitter etc
• Extensible provisioning workflow steps with Lambda function support
• Invite user flow using an OTP delivered via email or SMS
• Out-of-Box support for identity functions such as –
• Sign-Up
• Forgot Password
• Reset Password
• Good SDK support for all mobile and web platforms
Asurion implementation
• Multiple apps, starts with Device Identity
• Minimal user input
• Augment Device Identity with User details
• Provisioning based on the eligibility checks against On-Premise APIs
• Identity and sensitive data to be encrypted using Asurion hosted crypto service
• Tighter control over app libraries, for client approvals
• Predictable traffic routing
Registration Workflow
With an Identity Pool ID
Asurion Device Sign-UpEnd Users
Device Registration
SMS confirmation
Crypto Service
Eligibility Service
Asurion Services
(on AWS) Cognito RDS
Asurion Services
(on-prem)
Submit the OTP code
SMS OTP code
Validate OTP
Check eligibility
Encrypt identity
and sensitive data
Sign-up Create app recordCreate device record
Ready for serviceCreate Identity
and Refresh tokensPush tokens
Refresh Workflow
Refresh Token
Asurion Device RefreshEnd Users
Device Refresh
Refresh app record
Cognito RDS
Refresh Identity
Fetch/Update
app changes
Push
Identity token and
App data
Validate refresh token
and
Issue Identity token
Ready for service
Asurion Services
(on AWS)
Registration Workflow
With an Identity Pool ID
Asurion User Sign-UpEnd Users
User Registration
Email/SMS confirmation
Crypto Service
Eligibility Service
Cognito RDS
Check eligibility
Encrypt identity
and sensitive data
Update Update app recordUpdate/Create
user recordReady for service
Validate Identity Validate Identity
Asurion Services
(on AWS)
Asurion Services
(on-prem)
What we learned
• Great collaboration
• Build in a robust testing program
• Weigh the costs and benefits of custom implementation
Demo
• Creating a user pool in
Amazon Cognito
Attributes, policies,
verifications, apps,
customizations, etc.
• Importing and creating
users
• Customizing authentication
Demo Recap
• Easy to create and
configure user pools
• Several options for
creating and importing
users
• Flows are customizable
through Lambda triggers
GroupsCognito User Pools
Groups and Multiple Authenticated Roles
Group A
IAM Role A
Group B
IAM Role B
…
Authenticated
User Identity
Get
Credentials
Multiple Roles for Authenticated IdentitiesCognito Federated Identities
IAM Role and Policy
IAM Role and Policy
IAM Role and Policy
Backend
Resources
Ma
p to
diffe
ren
tIA
M r
ole
s
API Gateway
DynamoDB
S3
Co
ntr
ol A
cce
ss
Thank you!
Remember to complete
your evaluations!