Sorry for the long response time, most of Cisco was closed for the winter break. In the future I’d recommend directly contacting support if you have a question you’d like a faster answer to as those get tracked through a ticketing system and they are able to see your account details.
To answer your original question, Duo SSO does not currently support OIDC but we are actively working on developing it. In the meantime, you can definitely use Cognito + SAML using Duo SSO, I’ve done this before myself. You’ll need to make sure to create a generic SAML service provider in the Duo Admin Panel.
Every time I open a support ticket it goes days and days and days and even weeks until I get some sort of initial reply. And other forum’s moderators said that it was better to ask here instead of opening support tickets or even contact you guys by phone for tech support tickets (…).
Anyway… moving on.
Yes, I know that Cognito+SAML works. But what I’m trying to achieve is AWS ALB + Cognito + SAML. I’ve found documentation for Okta about AWS ALB + OIDC, hence my OIDC question here.
Having Cognito + Duo is well documented:
but when I put that user pool behind an AWS ALB (and I have other ALB’s working perfectly with Cognito + Google IdP) it just doesn’t work.
Do you know of any implementation with AWS ALB + Cognito + SAML? Or can you or someone else assist me in this? I can provide screenshots of every single part involved. I also tried to setup the Network Gateway but that requires to triple our monlthy bill with you and, if we had to go to that point, we’d just go to Okta, because it would be cheaper ($7/user/month with Okta, $9/user/month with Duo).
Let me try to translate the documentation I have internally related to this when I tested it out. Please note this is from 2019 so some of the AWS settings might have changed. This assumes you have nothing in Cognito yet so feel free to skip over the steps you’ve already done.
Create Generic Service Provider
Log on to the Duo Admin Panel and navigate to Applications .
Click Protect an Application and locate the entry for Generic Service Provider with a protection type of “2FA with SSO hosted by Duo (Single Sign-On)” in the applications list. Click Protect to the far-right to start configuring Generic Service Provider. See Protecting Applications for more information about protecting applications in Duo and additional application options. You’ll need the information on the Generic Service Provider page under Metadata later.
Click Download XML under the metadata section to download the XML that will be used later.
Create the Cognito User Pool
Navigate to the Amazon Cognito page in AWS Management Console
Click Manage User Pools
Click Create a user pool
Under Pool name type the name of your Pool
Select Step through settings
On the Attributes page under How do you want your end users to sign in? make sure that Username is checked but that none of the sub-checkboxes are checked.
Under Which standard attributes do you want to require? make sure to uncheck the attribute email . NONE OF THESE SHOULD BE CHECKED. They cannot be changed later so if you mess this up you’ll have to delete the user pool and start over.
Click the “+ Add action” under the THEN and select Forward to… from the dropdown.
In the dropdown field select the EC2 instance that the load balancer is pointed at.
Click the blue checkmark
Click Update
Test an Authentication
Once DNS and everything has been modified go to the URL of your application protected by the ALB (over port 80 or 443) and you should be redirect to Duo SSO for auth
Upon successful authentication you should be allowed through to access the underlying app
I had kind of the same already configured, but anyway began from scratch again following the guide you shown. At first it wasn’t working, but finally now I am able to do get to use Duo + Cognito with an ALB.
Thanks!
Would be nice, anyway, having OIDC because makes the process way easier to be setup.
Could I ask up a follow-up question to this as we just recently set up DUO generic SSO to Cognito as well. How can we configure DUO generic SSO provider and Cognito so we can pass through what DUO groups a user is a member of? I can see “Role attributes” in DUO but not sure what to put in that section nor what to put on the Cognito side.