-2

I have a simple AWS Lambda app. I need to front it with SSO, our IdP provider is Okta. The app is rarely used by a large amount of employees. What would be the easiest way to do that without additional expenses and InfoSec complications (Amazon Cognito, ...)?

Improve this question

1 Answer 1

Reset to default
1
+50

Note: You have in parentheses (Amazon Cog[n]ito, ...). I assume you are supplying Amazon Cognito as something you are considering, not something you want to avoid.

I think a relatively easy and cost-effective way would be to:

  1. Put your AWS Lambda app behind an AWS API Gateway REST API. Use Lambda proxy integration if you want to have the Lambda app handle all paths.
  2. Set up a Cognito User Pool with Okta as a SAML identity provider (https://repost.aws/knowledge-center/cognito-okta-saml-identity-provider).
  3. Set up a Cognito authorizer for your API Gateway API.

There will be some cost associated with the user pool and API, but I think this will be small compared to the complexity you would have to assume by handling all the SAML flows in your own code.

Improve this answer
3
  • Thank you Doug! I did what you've said, now I have a problem. I use API Gateway REST API, but I serve a browser app, not an API. When I integrated Cognito, Cognito authorizer redirects to the app with ?code= in the URL, however, that fails with app throwing 401. It seems App expects Authorization header, not the code argument?
    – NetworkMeister
    Commented Jul 1 at 15:41
  • I'm not immediately sure how to fix that. I notice that these docs (docs.aws.amazon.com/apigateway/latest/developerguide/…) say "For Token source, enter Authorization as the header name to pass the identity or access token that's returned by Amazon Cognito when a user signs in successfully." Is your token source set to Authorization? Also, when it redirects to ?code=..., what's the path? Is it the same path as your app? When I've used Cognito in the past, I've had to do some other work at the path I get redirected to, but that may not apply here.
    – Doug Naphas
    Commented Jul 1 at 19:42
  • These docs assume you have REST API and control over client code, so you can take token and put it in Authorization header of the next request. In my case, I have a web app, so I cannot control the browser and browsers request headers.
    – NetworkMeister
    Commented Jul 2 at 11:13

Not the answer you're looking for? Browse other questions tagged or ask your own question.