Simple Authentication

When Blacklight evaluated technologies for the partners in our platform, the cloud provider was a major piece of the decision. We needed a partner that was robust, provides virtually infinite scale, clear pricing and most of all the breadth of tools our customers most need. While other providers offered great integration for a specific stack, or focus on big data we needed a provider that could support all of these while also enabling the toolkit for secured customer facing content. AWS was the clear choice for our needs.

Amazon Web Services (AWS) takes most of the heavy lifting of running your IT operations off your plate leaving you to focus on running your business. They can manage your database (whether No-SQL or traditional), web servers, containers, big data, machine learning, monitoring, you name it, they handle it. Most companies today have either web applications or some mobile application they provide to their customers. Security is fundamental for these interfaces and our reference architecture standardizes on AWS through Cognito.

When Blacklight builds a web application for one of our customers who want to restrict access to custom content. Rather than build out a custom authentication solution, we used Cognito to handle/manage users of the application. The setup of the pool to handle users for such an application is quite simple. There is a simple 9 step wizard by which you define things like password security, multi-factor authentication, messaging, and triggers. After configuring your Cognito pool, you can use the SDK to integrate the backend authentication with your application. Amazon documentation provides excellent examples on the API functions that are available to you like user registration, authentication, confirmation and various other methods you may want to call from the client. All you have to do is implement the front end look and feel and AWS take care of the authentication and user management.

The triggers that are made available during the construction of the pool allow for the injection of custom logic at various steps of the users registration, confirmation and authentication. In the past I have used triggers to craft custom email messages sent after registration. This allowed the users to confirm by clicking a link sent via email without having them fill out a confirmation form. Today Cognito provides nine different hooks after which you can inject custom code.

As part of most applications, charts are embedded using the business intelligence layer of our platform which comes from Yellowfin. Using triggers, we can hook into the registration workflow to register the user with Yellowfin using their web services calls as described in their wiki. Yellowfin uses a token process for single-sign on which we can weave into Cognito’s flow to create a fully managed and seamless experience for end-user authenticating into the application. When a user logs into the application, we can use another Cognito trigger, post authentication, to authenticate into Yellowfin to get a session id used to run reports. This allows the creation of content in a robust BI tool instead of having to write custom code to render visualizations.

To secure access to APIs that you create, you assign users to groups in Cognito. Within the group, you can grant users of the group specific IAM roles which allow access to certain AWS resources, like API gateway calls or lambda function calls. Users are not automatically assigned to groups, however, so if you need a default group, you can hook into the post confirmation trigger to auto assign after confirmation. Alternatively, you can create an admin screen to allow an administrator access to changing the groups associated with a user. Either way, groups allow you to enable access to secure AWS resources to enable certain functionality like rendering content. If you don’t want to use the authentication method that Cognito provides, Cognito allows you to use federated identities to use services such as Google+, Facebook or more traditional services like Active Directory from Windows via SAML. That enables a complete enterprise solution that integrates with a fully functional business intelligence tool hitting the sweet spot for technical integration of an embedded analytics solution.

AWS Cognito takes the hassle of user management off your plate when creating web applications or apps. They simplify this by creating an easy setup process for your pool, allowing the integration with other AWS services like Lambda and API Gateway, providing an easy SDK to integrate with your application, and allowing for the use of common user authentication services. With the ever growing list of services provided by AWS, developers can focus on their domain and product managers can focus on growing customer engagement.

By | 2017-12-20T14:37:50+00:00 December 20th, 2017|Data Practices, Embedded BI, Engineering, Products|