1. DataClarity
  2. DataClarity Installation & Configuration
  3. Manage users
  4. Authenticate with Single Sign-On (SSO)

How to Configure AWS Cognito as an Identity Provider for User Access Manager

Avatar
Customer Care Team

DataClarity Unlimited Analytics supports external identity provider integration for centralized user management. This guide walks you through configuring AWS Cognito as an identity provider to automatically provision users in DataClarity without requiring manual user creation.

 

Benefits of AWS Cognito Integration:

  • Centralized user management in AWS Cognito
  • Automatic user provisioning in DataClarity
  • Single sign-on (SSO) experience for users
  • Reduced administrative overhead
  • Seamless integration with existing AWS infrastructure

Prerequisites

Before starting the integration, ensure you have:

  • Administrative access to your DataClarity instance
  • AWS account with permissions to configure Cognito User Pools
  • Understanding of your organization's user attribute requirements
  • Network connectivity between DataClarity and AWS Cognito endpoints

Step 1: Configure AWS Cognito User Pool

Create or Configure User Pool

  1. Access AWS Cognito Console

    • Navigate to the AWS Console and open Amazon Cognito
    • Select "User pools" from the left navigation

  2. Create New User Pool (if needed)

    • Click "Create user pool"
    • Choose "Cognito User Pool" as the sign-in option
    • Configure required attributes (email, given_name, family_name recommended)
    • Set password policies as per your security requirements

  3. Configure App Client

    • In your User Pool, go to "App integration" tab
    • Click "Create app client"
    • App client name: DataClarity-Integration
    • App client type: Select "Confidential client"
    • Authentication flows: Enable "ALLOW_USER_SRP_AUTH" and "ALLOW_REFRESH_TOKEN_AUTH"

  4. Set Callback URLs

    • Add your DataClarity callback URL: https://[your-dataclarity-domain]/auth/realms/[realm-name]/broker/cognito/endpoint
    • Replace [your-dataclarity-domain] with your actual DataClarity URL
    • Replace [realm-name] with your DataClarity realm (typically "dataclarity")

  5. Configure OAuth 2.0 Settings

    • Allowed OAuth flows: Enable "Authorization code grant"
    • Allowed OAuth scopes: Select "openid", "email", "profile"

  6. Note Configuration Details Record the following information for DataClarity configuration:

    • User Pool ID
    • App Client ID
    • App Client Secret
    • AWS Region
    • User Pool Domain (if using hosted UI)

Step 2: Configure DataClarity Identity Provider

Access DataClarity User Administration

  1. Login to DataClarity

    • Access your DataClarity instance as an administrator
    • Navigate to User Access Management (UAM)

  2. Access Master Console for Advanced Configuration

    • In UAM, switch to the Master Console for advanced identity provider configuration
    • Note: Advanced configuration options are only available in the Master Console, not in tenant-level consoles

Add AWS Cognito as Identity Provider

  1. Navigate to Identity Providers

    • In the Master Console, select your tenant realm
    • Click "Identity Providers" in the navigation menu
    • Click "Add provider" and select "OpenID Connect v1.0"

  2. Basic Configuration

    • Alias: aws-cognito (or your preferred identifier)
    • Display Name: AWS Cognito
    • Enabled: Toggle to ON

  3. OpenID Connect Settings

    • Discovery endpoint URL: https://cognito-idp.[region].amazonaws.com/[user-pool-id]/.well-known/openid_configuration
    • Replace [region] with your AWS region (e.g., us-east-1)
    • Replace [user-pool-id] with your Cognito User Pool ID

  4. Client Authentication

    • Client ID: Enter your Cognito App Client ID
    • Client Secret: Enter your Cognito App Client Secret
    • Client Authentication: Select "Client secret sent as post"

  5. Advanced Settings

    • Default Scopes: openid email profile
    • Prompt: Leave empty or set to "select_account" if desired
    • Accepts prompt=none forward from client: OFF
    • Disable user info service: OFF
    • User info URL: Should auto-populate from discovery endpoint

Step 3: Configure User Provisioning

Enable Automatic User Creation

  1. User Creation Settings

    • Enabled: ON
    • Update First Login: ON
    • Trust Email: ON (if email verification is handled by Cognito)
    • Account Linking Only: OFF
    • Hide on Login Page: OFF (unless you want to hide the option)

  2. Authentication Flow Overrides

    • First Broker Login Flow: first broker login
    • Post Broker Login Flow: Leave empty or customize as needed

Configure Attribute Mapping

  1. Create Attribute Mappers Click "Add mapper" to create mappings for user attributes:

    Email Mapper:

    • Name: email
    • Mapper Type: Attribute Importer
    • Claim: email
    • User Attribute: email

    First Name Mapper:

    • Name: firstName
    • Mapper Type: Attribute Importer
    • Claim: given_name
    • User Attribute: firstName

    Last Name Mapper:

    • Name: lastName
    • Mapper Type: Attribute Importer
    • Claim: family_name
    • User Attribute: lastName

    Username Mapper:

    • Name: username
    • Mapper Type: Username Template Importer
    • Template: ${CLAIM.email} or ${CLAIM.preferred_username}

  2. Role Mapping (Optional) If you need to assign default roles:

    • Name: default-role
    • Mapper Type: Hardcoded Role
    • Role: Select appropriate DataClarity role

Step 4: Test the Integration

Perform Test Login

  1. Logout from DataClarity

    • Ensure you're completely logged out from DataClarity

  2. Access DataClarity Login Page

    • Navigate to your DataClarity login page
    • You should see an "AWS Cognito" option alongside the standard login

  3. Test Cognito Authentication

    • Click the "AWS Cognito" button
    • You'll be redirected to AWS Cognito login page
    • Login with a test user account from your Cognito User Pool

  4. Verify User Provisioning

    • After successful authentication, you should be logged into DataClarity
    • In the Master Console, check the Users section to confirm the user was auto-created
    • Verify that user attributes were properly mapped

Troubleshooting Common Issues

Issue: Redirect loop or authentication failure

  • Solution: Verify callback URLs match exactly in both Cognito and DataClarity configurations

Issue: User attributes not mapping correctly

  • Solution: Check attribute mapper configurations and ensure claims are available in Cognito tokens

Issue: Users not being created automatically

  • Solution: Verify "Create User If Unique" setting is enabled in the identity provider configuration in Master Console

Step 5: Configure User Experience (Optional)

Customize Login Flow

  1. Hide Standard Login (if desired)

    • In Identity Provider settings, set "Hide on Login Page" to ON
    • Configure automatic redirect to Cognito

Set Default Identity Provider

  1. Auto-redirect to Cognito
    • In the Master Console, go to "Authentication" settings
    • Configure browser flow to automatically redirect to Cognito
    • This provides seamless SSO experience

Security Considerations

Network Security:

  • Ensure HTTPS is enabled on all endpoints
  • Configure proper CORS settings if needed
  • Review firewall rules for DataClarity-Cognito communication

Token Security:

  • Configure appropriate token lifetimes in Cognito
  • Enable token refresh for long-lived sessions
  • Consider implementing logout propagation

Articles in this section

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.