I need to design SSO solution for different applications in an organization. The current Identity provider is AD on-premises. Here is what I have
- Different Microservices are hosted on mulitple AWS EC2
- Front End application implemented using Angular2
- Authentication Service: which validates the users credentials against an Identity provider and generates a jwt
- Authorization service: check the user rights
Here is required behavior:
- The Authentication service is responsible of checking if the
credentials are valid against AD and then issue a JWT.
- The Authorization service is responsible of checking if the user has the required permissions to access specific resource (another micro-service or viewing a page)
If I am using Azure I would do the following:
- "Azure AD Connect" to sync the users between AD on Premises & "Azure AD"
- "Azure AD" will serve as Identity Provider
- When the users login to one of the applications, Azure AD will verify user's identity and sends him JWT
- JWT will be used to check the user privileges and make subsequent calls to other microservices
What type of services should I use for Amazon to generate JWT?
The logical choice for Amazon is Cognito Federated Identities which supports Active Directory, specifically ADFS, as an identity provider via SAML integration. After authentication, Cognito returns a JWT token which is then exchanged for Amazon credentials (authorization).
Amazon Cognito Federated Identities