Reputation: 5781
Using AWS AD to Store Users for API Gateway
I have a client that has an on-prem AD Server... I am developing an application running through API Gateway that will use a custom authorizer to authorize the endpoints. The on-prem AD server will be used to authenticate internal users, thinking about deploying an AD server in AWS for external users and using some sort of "link" between the two to connect them.
I want to query AD to authenticate the users and then get their IAM roles to allow access the API. Is this a good implementation?
Upvotes: 0
Views: 1068
Answers (1)
Reputation: 21
If you are able to run AD FS and expose it to Cognito, I would suggest looking into using Cognito Federated Identity and setting the Method to require AWS_IAM authorization. Here is a link to the docs for AD FS:
https://aws.amazon.com/blogs/mobile/announcing-saml-support-for-amazon-cognito/
Alternatively, if you can't run AD FS and are running AWS Directory Service for Microsoft Active Directory for some other purpose, you could create a trust relationship to your on-prem AD through a direct connect / VPN. You could then create a service which took the AD credentials and authenticated the user via LDAP (lambda function configured to used with a VPC). Finally a custom authorizer could be created that validated the token for subsequent calls and return an appropriate IAM policy.
Upvotes: 2
Related Questions
- Authenticate users in AWS Api Gateway with Cognito
- Is it possible to mix IAM authorization and an API key with AWS API Gateway?
- API Gateway cross account access
- Provide AWS account ids access to API Gateway
- Use API key pairs for users for API gateway
- Using Api keys with AWS API Gateway
- AWS API Gateway Authentication using AWS Directory Services (Active Directory)
- How to authenticate users for AWS API Gateway?
- AWS Gateway API authentication with users stored in DynamoDB
- AWS API Gateway with external authentication