Duo as MFA IdP in AWS ALB

Protecting Applications forum
#1

Hello,

Either with Cognito or OIDC, is there any documentation or working case about setting up Duo as MFA gateway for an AWS ALB?

I’ve found documentation accomplishing the same thing with Okta, but I don’t get it to work completely.

Also, does Duo support acting as OIDC provider? (Okta does).

Thanks.

#2

Okay, I see that no OIDC support as of today (surprise…)

So the only way is Cognito+SAML.

#3

Hello,

Paying customer, 150 licenses. Will I get a reply please?

Thanks.

#4

Hi @Ruben_Cardenal,

Sorry for the long response time, most of Cisco was closed for the winter break. In the future I’d recommend directly contacting support if you have a question you’d like a faster answer to as those get tracked through a ticketing system and they are able to see your account details.

To answer your original question, Duo SSO does not currently support OIDC but we are actively working on developing it. In the meantime, you can definitely use Cognito + SAML using Duo SSO, I’ve done this before myself. You’ll need to make sure to create a generic SAML service provider in the Duo Admin Panel.

1 Like
#5

Hello Jamie,

Every time I open a support ticket it goes days and days and days and even weeks until I get some sort of initial reply. And other forum’s moderators said that it was better to ask here instead of opening support tickets or even contact you guys by phone for tech support tickets (…).

Anyway… moving on.

Yes, I know that Cognito+SAML works. But what I’m trying to achieve is AWS ALB + Cognito + SAML. I’ve found documentation for Okta about AWS ALB + OIDC, hence my OIDC question here.

Having Cognito + Duo is well documented:

but when I put that user pool behind an AWS ALB (and I have other ALB’s working perfectly with Cognito + Google IdP) it just doesn’t work.

Do you know of any implementation with AWS ALB + Cognito + SAML? Or can you or someone else assist me in this? I can provide screenshots of every single part involved. I also tried to setup the Network Gateway but that requires to triple our monlthy bill with you and, if we had to go to that point, we’d just go to Okta, because it would be cheaper ($7/user/month with Okta, $9/user/month with Duo).

Thanks.

#6

Hi @Ruben_Cardenal,

Let me try to translate the documentation I have internally related to this when I tested it out. Please note this is from 2019 so some of the AWS settings might have changed. This assumes you have nothing in Cognito yet so feel free to skip over the steps you’ve already done.

Create Generic Service Provider

  1. Log on to the Duo Admin Panel and navigate to Applications .

  2. Click Protect an Application and locate the entry for Generic Service Provider with a protection type of “2FA with SSO hosted by Duo (Single Sign-On)” in the applications list. Click Protect to the far-right to start configuring Generic Service Provider. See Protecting Applications for more information about protecting applications in Duo and additional application options. You’ll need the information on the Generic Service Provider page under Metadata later.

  3. Click Download XML under the metadata section to download the XML that will be used later.

Create the Cognito User Pool

  1. Navigate to the Amazon Cognito page in AWS Management Console

  2. Click Manage User Pools

  3. Click Create a user pool

    1. Under Pool name type the name of your Pool
    2. Select Step through settings
    3. On the Attributes page under How do you want your end users to sign in? make sure that Username is checked but that none of the sub-checkboxes are checked.
    4. Under Which standard attributes do you want to require? make sure to uncheck the attribute email . NONE OF THESE SHOULD BE CHECKED. They cannot be changed later so if you mess this up you’ll have to delete the user pool and start over.
    5. Click Next step

image
image3340×1580 368 KB

  1. The Policies page leave all values at their default and click Next step

  2. On the MFA and verifications page leave all values at their default and click Next step

  3. On the Message customizations page leave all values at their default and click Next step

  4. On the Tags page leave all values at their default and click Next step

  5. On the Devices page leave all values (Set to No) at their default and click Next step

  6. On the App clients page click Add an app client

    1. Under App client name type a name for your client
    2. Under Refresh token expiration (days)
    3. Make sure Generate client secret is checked and that nothing else is.
    4. Click Create app client
    5. The page will then display the Client App name click Next Steps

image
image3314×1434 261 KB

  1. On the Triggers page leave all values at their default and click Next step

  2. On the Review page click Create pool

  3. The page will refresh with new settings.

  4. Make note of the Pool Id you will need this later.

Set up a Cognito domain name

  1. On the User Pool page under App integration click Domain name on the left-hand side navigation menu
  2. Under Amazon Cognito domain you can type in a subdomain and click Check availability .
  3. If available type Save changes
  4. Make note of the ENTIRE domain name as you will need it later.

Screen Shot 2019-02-25 at 1.18.22 PM
Screen Shot 2019-02-25 at 1.18.22 PM2580×1416 255 KB

Setting up SAML Federation to Cognito

  1. On the User Pool page under Federation click Identity Providers on the left-hand side navigation menu
  2. On the Identity Providers page click SAML
  3. Click Select File and pick the Duo SSO XML file you have.
  4. Under Provider name type the name of the SAML Provider to reference it.
  5. Click Create provider

Screen Shot 2019-02-25 at 10.39.10 AM
Screen Shot 2019-02-25 at 10.39.10 AM3238×1842 384 KB

Set Duo SSO up for Cognito

Return to the Duo Admin Panel with your generic application open and populate the following fields:

  1. Entity ID: urn:amazon:cognito:sp: + Pool Id

  2. Example: urn:amazon:cognito:sp:us-east-1_8ULmhQ4vz

  3. ACS URL: This will be your Cogntio Domain name + /saml2/idpresponse

  4. Example: https://subdomain.auth.us-east-1.amazoncognito.com/saml2/idpresponse

  5. NameID type : emailAddress

  6. NameID value:: Whatever value you use for email. If using our standard bridge attributes select the <Email Address> value from the drop-down.

  7. Click Save at the bottom of the page.

Set up App Client values in Cognito

  1. On the User Pool page under App integrations click App client settings on the left-hand side navigation menu
  2. Under Enabled Identity Providers select the IdP you named for DuoSSO .
  3. Under Callback URL(s) type the URL that will be used for the domain + /oauth2/idpresponse
    Example: https://Cognito-Test.us-east-1-elb.amazonaws.com/oauth2/idpresponse
  4. Under Allowed OAuth Flows check the box next to Authorization code grant
  5. Under Allowed OAuth Scopes select openid
  6. Click Save changes

Screen Shot 2019-02-25 at 1.32.07 PM
Screen Shot 2019-02-25 at 1.32.07 PM3130×1738 437 KB

Configure the Application Load Balancer to use Cognito for Auth

  1. Go to the EC2 Dashboard → Load Balancing → Load Balancers

  2. Select the load balancer you created earlier and click on Listeners tab.

  3. Next to the HTTP: 80 rule click View/edit rules

    1. Click the pencil icon at the top of the screen

    2. Click the pencil icon under the Rule name

    3. Click the trash can icon under THEN . This deletes the current routing rule.

    4. Click the “+ Add action” under the THEN and select Redirect to… from the dropdown. New options will appear

      1. Under 1. Redirect to… make sure HTTPS is selected
      2. Type 443 in the Port field
      3. Click the blue checkmark

    5. Click Update and Update again

  4. Next to the HTTPS: 443 rule click View/edit rules

    1. Click the pencil icon at the top of the screen

    2. Click the pencil icon under the Rule name

    3. Click the trash can icon under THEN . This deletes the current routing rule.

    4. Click the “+ Add action” under the THEN and select Authenticate… from the dropdown. New options will appear

      1. Click under Cognito user pool and select the name of the pool you created earlier
      2. Click under App client and select the name of the app client you created earlier (You may need to check the App Client ID in Cognito)
      3. Click the blue checkmark
        Screen Shot 2019-02-25 at 1.58.38 PM
        Screen Shot 2019-02-25 at 1.58.38 PM2460×1076 165 KB

    5. Click the “+ Add action” under the THEN and select Forward to… from the dropdown.

      1. In the dropdown field select the EC2 instance that the load balancer is pointed at.
      2. Click the blue checkmark

    6. Click Update

Test an Authentication

  1. Once DNS and everything has been modified go to the URL of your application protected by the ALB (over port 80 or 443) and you should be redirect to Duo SSO for auth
  2. Upon successful authentication you should be allowed through to access the underlying app
1 Like
#7

Hello jamie,

I had kind of the same already configured, but anyway began from scratch again following the guide you shown. At first it wasn’t working, but finally now I am able to do get to use Duo + Cognito with an ALB.

Thanks!

Would be nice, anyway, having OIDC because makes the process way easier to be setup.

Thanks!

#8

Hello @jamie,

Could I ask up a follow-up question to this as we just recently set up DUO generic SSO to Cognito as well. How can we configure DUO generic SSO provider and Cognito so we can pass through what DUO groups a user is a member of? I can see “Role attributes” in DUO but not sure what to put in that section nor what to put on the Cognito side.

Cheers
Damien