Versions Compared

Version Old Version 2 New Version 3
Changes made by

Luis Palacios

Luis Palacios

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Anchor
_Hlk38994734
_Hlk38994734
Moventus
Clarity Hosting
Cognito User Portal
Date: 04/30/2020
Version: 1.6


Anchor
_Hlk38994778
_Hlk38994778
Anchor
_Toc39234181
_Toc39234181
Contents



1. Contents
2. Document Revision History
3. Purpose
4. Approach
5. Design
5.1 Use Cases
5.2 Architecture Diagram
5.3 Sequence Diagrams
5.3.1 Login
5.3.2 Federated Account Merge
5.3.3 Federated Login
5.3.4 Logout
5.4 Model Diagrams
5.4.1 Clarity PPM Cognito Service – Callback.jsp
5.4.2 Clarity PPM Cognito Service – Logout.jsp
5.4.3 Cognito User Sync Job
6. Deployment
6.1 Component Description
6.2 Clarity PPM Cognito Service
6.3 Cognito User Sync Job
6.4 Cognito-PreSignUp
7. Configuration
7.1 Cognito
7.1.1 DNS Setup
7.1.2 SES Setup
7.1.3 Cognito - User Pool Setup
7.2 Clarity PPM Cognito Service
7.3 Cognito User Sync Job
8. Appendix
8.1 FAQ
8.2 Helpful Links
8.3 Monitoring Recommendations
8.4 Error Codes


Anchor
_Toc36654170
_Toc36654170
Anchor
_Toc39234182
_Toc39234182
Document Revision History


Version

Date

Name

Description

1.0

04/08/2020

Luis Palacios

Document Creation

1.1

04/09/2020

Luis Palacios

Document Creation

1.2

04/11/2020

Luis Palacios

SAML Flow
Naming Conventions
User Group Configuration
Cognito User Sync Job Flow

1.3

04/16/2020

Luis Palacios

Federated Sequence Diagrams
Reorganize section: Architecture
Added Lambda Function
Cognito Setup

1.4

04/17/2020

Luis Palacios

Deeplink Support

1.5

04/28/2020

Luis Palacios

5.Design edits
8. Appendix edits
Updated naming conventions

1.6

04/30/2020

Luis Palacios

Ver 1.0.3 additions


Anchor
_Toc39234183
_Toc39234183
Purpose

Amazon Cognito is a simple to use identity service, which will be used for Moventus – Clarity Hosting in order to secure and centralize authentication and user management. By doing this, we enhance the overall experience from an operational and customer perspective:

  • Supporting multiple authentication methods: SAML, Form Based Authentication, Open ID
  • We protect the Clarity PPM application with an authentication service
  • By allowing all authentication requests to be processed by OAUTH we standardize the process and ease of use
  • Automatically expose functionality like MFA, Password Resets, among other functionality


While maintaining a standard, regulated process:

  • Using a certified platform, that aligns with the use of AWS
  • GDPR and Geolocated compliance
  • Effectively provide a similar portal to the Broadcom provided OD Portal


Anchor
_Toc39234184
_Toc39234184
Approach

The intention of the following document is to provide the necessary steps and implications in order to properly deliver and maintain an effective SSO and Authentication architecture. Each step will be properly outline and explain in further detail through the following sections.
As a minimum the solution is intended to provide the following, through a stable IDaaS Architecture:

Objective

Approach

Provide a solution that aligns with the overall program

By using an AWS service:

  • The solution aligns with the operational processes
  • Aligns with all compliance policies and certifications AWS provides
  • Can be used for the overall IAM program to properly managed customer and agent access to Clarity PPM, Other Applications and AWS IAM for resource access

Provide a secure front-end authentication service for Clarity PPM

  • Cognito provides a native OAUTH mechanism to perform all operations
  • Allows for BYO-SSO and/or a custom login page
  • Provides User and Group management segregated by Pools and Regions to comply with multi tenancy.

Provide commonly requested functionality

By using the OOTB Login functionality, the following can be provided:

  • MFA
  • Self- service password reset
  • Credential and device validation

Provide SSO and Open ID Capabilities

  • Provides access to common authentication mechanisms for well-known vendors
  • Provides SAML and OpenID compatibility.

Support Clarity PPM Functionality

  • The solution will allow for direct access to REST API, XOG, ODATA without forcing SSO solutions
  • While the UI and navigation will force users to:
    • Use a standardized authentication mechanism
    • Allow for native support for deep links and SSO session management
  • Automatic User Synchronization and validations

A logical future roadmap

  • Implement authentication for Administrators through IAM
  • Support future functionality like self-service registration
  • Automation through AWS Lambda
  • Integrate with other Rego provided services like ticketing systems, knowledge bases, etc.


Anchor
_Toc39234185
_Toc39234185
Design

The following components will be incorporated as part of the overall design and intended to work in conjunction to provide a stable authentication and user management platform.

Anchor
_Toc39234187
_Toc39234187
Architecture Diagram

Image Added

Anchor
_Toc39234188
_Toc39234188
Sequence Diagrams

Anchor
_Toc39234189
_Toc39234189
Login

Image Added

Step

Details

Clarity PPM Deeplink or Home Page

End User initiated navigation by using:

  • A deeplink generated URL
  • Navigating to a Clarity URL

SSO Redirect Request

  • NSA SSO settings and Login URL, redirect the End User's request to Callback.jsp

Callback.jsp – Missing Session/Error

  • Callback.jsp hosted file in Clarity PPM executes the Missing Session/Error Routine
  • If no errors are detected, will continue to next step

Cognito Redirection

  • Cognito Login URL is generated and redirected
  • End User is prompted with Cognito's hosted Login UI

User Login

  • End User provides valid credentials

Callback.jsp – OAUTH CODE

  • End User is redirected to Callback.jsp with a valid CODE

OAUTH2 Token/User Validation

  • Clarity PPM Cognito Service exchanges CODE for a valid OAUTH2 Token
  • Validates the Token and User Information, if valid it will continue to next step

Clarity Web Session Request

  • Clarity PPM Cognito Service requests a Clarity PPM Web Session using OOTB libraries
  • If a Web Session is obtained, it will continue to next step

Home Page/Deep Link Redirect Request

  • Clarity PPM provides a redirect request

Clarity UI Access

  • End User successfully navigates the redirect request to Clarity PPM UI

Anchor
_Toc39234190
_Toc39234190
Federated Account Merge

When using federated providers, Cognito requires the identities to be merged, otherwise multiple accounts will be created and not kept in sync accordingly. The sequence below illustrates first time access.
Image Added

Step

Details

Clarity PPM Deeplink or Home Page

End User initiated navigation by using:

  • A deeplink generated URL
  • Navigating to a Clarity URL

SSO Redirect Request

  • NSA SSO settings and Login URL, redirect the End User's request to Callback.jsp

Callback.jsp – Missing Session/Error

  • Callback.jsp hosted file in Clarity PPM executes the Missing Session/Error Routine
  • If no errors are detected, will continue to next step

Cognito Redirection

  • Cognito Login URL is generated and redirected
  • End User is prompted with Cognito's hosted Login UI

Authorize URL

  • The request is redirected to Coginto's Login Authorize URL, dedicated to external providers

SAML Request Redirect

  • The SAML request from the external IdP is exchanged with Cognito

SSO Login

  • User enters credentials or authenticates on the external IdP

IdP Request

  • SAML Response is provided and authentication authorized
  • In case of error, they will be redirected to callback.jsp, and error displayed

Lambda Function – Cognito PreSignUp.js

  • First time IdP login, will trigger the Lambda function to merge accounts
  • This will be considered an error, and redirect to callback.jsp with keyword SSO_MERGE_SUCCESSFUL

SAML Response

  • This will be considered an error, and redirect to callback.jsp with keyword SSO_MERGE_SUCCESSFUL

Callback.jsp – Merged Account

  • Callback.jsp will provide the message defined in the properties file:
    cognito.sso.mergedAccount


Anchor
_Toc39234191
_Toc39234191
Federated Login

Image Added

Step

Details

Clarity PPM Deeplink or Home Page

End User initiated navigation by using:

  • A deeplink generated URL
  • Navigating to a Clarity URL

SSO Redirect Request

  • NSA SSO settings and Login URL, redirect the End User's request to Callback.jsp

Callback.jsp – Missing Session/Error

  • Callback.jsp hosted file in Clarity PPM executes the Missing Session/Error Routine
  • If no errors are detected, will continue to next step

Cognito Redirection

  • Cognito Login URL is generated and redirected
  • End User is prompted with Cognito's hosted Login UI

Authorize URL

  • The request is redirected to Coginto's Login Authorize URL, dedicated to external providers

SAML Request Redirect

  • The SAML request from the external IdP is exchanged with Cognito

SSO Login

  • User enters credentials or authenticates on the external IdP

IdP Request

  • SAML Response is provided and authentication authorized
  • In case of error, they will be redirected to callback.jsp, and error displayed

SAML Response

  • Authentication is completed, and will be forwarded to callback.jsp for OAUTH2 validations
  • In case of error, they will be redirected to callback.jsp, and error displayed

Callback.jsp – OAUTH CODE

  • End User is redirected to Callback.jsp with a valid CODE

OAUTH2 Token/User Validation

  • Clarity PPM Cognito Service exchanges CODE for a valid OAUTH2 Token
  • Validates the Token and User Information, if valid it will continue to next step

Clarity Web Session Request

  • Clarity PPM Cognito Service requests a Clarity PPM Web Session using OOTB libraries
  • If a Web Session is obtained, it will continue to next step

Home Page/Deep Link Redirect Request

  • Clarity PPM provides a redirect request

Clarity UI Access

  • End User successfully navigates the redirect request to Clarity PPM UI


Anchor
_Toc39234192
_Toc39234192
Logout

Image Added

Step

Details

Initiates Logout

  • End User clicks on the "Logout" option
  • End User's session times out

Logout.jsp Redirect

  • The redirection request is sent to the End User's client

Logout.jsp

  • Logout.jsp loads and terminates the Clarity PPM session

Redirect Cognito Logout

  • End User is redirected to Cognito's /logout endpoint
  • Cognito's session is handled as per Cognito's configuration

Redirect to Login

  • The user is redirected to either the Cognito Login Screen
    or to their IdP

Login Page

  • Login page is reached, any future attempts will execute sequences 5.3.1 or 5.3.3


Anchor
_Toc39234193
_Toc39234193
Model Diagrams

Anchor
_Toc39234194
_Toc39234194
Clarity PPM Cognito Service – Callback.jsp

Image Added
Notes:

  • All errors are logged to Clarity's app-system.log file
  • All errors except missing token will be redirected to callback.jsp and display an error message.

All error messages are configured on the cognito.properties file

  • All properties from the cognito.properties file will be formatted as italic


Step

Details

Validate Existing Cookie

  • Validate if an existing cookie is present, and with a sessionId value

Read Properties File Details

  • Reads the JVM argument com.rego.awscognito.configProperties if present it continues to the next step


    Exceptions thrown:
  • If JVM argument is not present, the error page will be displayed, with error message: "Configuration properties path not defined"

Load Properties

Exceptions thrown:

  • If cognito.properties is not present the error page will be displayed, with error message: "Configuration properties file not found"

Validate Request Parameters

  • Validates if the URL contains the following query strings:
    • code: OAUTH2 code provided by Cognito to exchange for OAUTH2 tokens
    • state: encoded URL to be redirected, used for deeplinks and redirection


      Exceptions thrown:
  • If code is not provided, it will read the property cognito.token.error_uri and redirect to the corresponding URL for authentication

Request OAUTH2 Token

  • The code will be exchanged for an OAUTH2 token, including:
    • id_token
    • access_token
    • refresh_token
  • For this request to occur the following properties will be used for the request:
    • cognito.token.url
    • cognito.token.client_id
    • cognito.token.client_secret
    • cognito.token.grant_type
    • cognito.token.client_id
    • cognito.token.redirect_uri


  • Request

Method

POST

URL

<cognito.token.url>

Basic Authentication

<cognito.token.client_id>:<cognito.token.client_secret>

Query String Parameters

Key

Value

grant_type

<cognito.token.grant_type>

client_id

<cognito.token.client_id>

code

<OAUTH CODE>

redirect_uri

<cognito.token.redirect_uri>


Exceptions thrown:

  • When response code is other than 200, the error page will be displayed and the message for property: cognito.validation.invalidCode
  • If response does not contain an id_token or access token, the error page will be displayed and the message for property:
    cognito.validation.tokenIsNotPresent|

    User Info Request

    • A request will be performed to obtain the user information through Cognito. For this request to occur the following properties will be used for the request:
    • cognito.userinfo.url


  • Request

    Method

    GET

    URL

    <cognito.userinfo.url>

    Basic Authentication

    <access_token>

    Response

    JSON Attribute

    email_verified

    email

    username


    Exceptions thrown:
  • When response code is other than 200, the error page will be displayed and the message for property: cognito.validation.invalidToken
  • When response does not contain: email_verified, email or username:

    cognito.userinfo.http_error_message
  • When email_verified is not equal to true:
    Cognito.userinfo.http_error_message|

    JWT JSON Signature Validation

    • It validates the JWT token, to ensure it:
    • Has a valid RSA signature by comparing against the file downloaded to path: cognito.jwks.filePath
    • The following values are extracted from the id_token:
      • cognito:username
      • email
      • cognito:groups


        Exceptions thrown:
  • When the values for username or email do not match with the response from UserInfo:

    cognito.validation.tokenDataDifferences
  • When the JWT Token validation is invalid or unable to download the key for validation:
    cognito.validation.invalitJWTToken|

    Group Validation

    • Once all validations are passed, the id_token must have the proper groups assigned. Each environment will store a group on the properties file and be validated against the value on property:

      cognito.userInfo.allowed_group

      Exceptions thrown:
  • When the user is does not have any of the allowed groups:

    cognito.validation.userIsNotMemberOfGroup
  • When the JWT Token validation is invalid or unable to download the key for validation:
    cognito.validation.invalitJWTToken|

    WebSession Request

    • The Clarity PPM WebSession class is invoked by passing the email provided on the id_token
  • If a session is successfully granted it will continue to next step
  • Otherwise Clarity PPM will handle the errors accordingly|

    URL Redirect

    • The user will be redirected in the following order:
    • To the state variable, as long as it matches a relative URL or contains the same hostname as the callback.jsp request
    • To the property: cognito.url.home|

      Anchor
      _Toc39234195
      _Toc39234195
      Clarity PPM Cognito Service – Logout.jsp

      Image Added
      Notes:
  • All errors are logged to Clarity's app-system.log file


Step

Details

Validate Request

  • Logout.jsp is reached, the request is validated to ensure a valid websession exists

Read Properties File Details

  • Reads the JVM argument com.rego.awscognito.configProperties if present it continues to the next step


    Exceptions thrown:
  • If JVM argument is not present, the error page will be displayed, with error message: "Configuration properties path not defined"

Load Properties

  • Exceptions thrown:
    If cognito.properties is not present the error page will be displayed, with error message: "Configuration properties file not found"

Build Logout URL

  • Logout URL is generated using property:
    cognito.url.logout

Redirect Logout URL

  • The End User's client is redirected to the corresponding logout URL

Anchor
_Toc39234196
_Toc39234196
Cognito User Sync Job

Refer to Cognito Sync Job v2.docxAt some point we might want to merge both documents, pending feedback


Anchor
_Toc39234197
_Toc39234197
Deployment

Anchor
_Toc39234198
_Toc39234198
Component Description

Owner

Component

Description

Clarity PPM

web.xml

/webroot/WEB-INF/web.xml
Clarity PPM Tomcat custom filters, modified to allow callback.jsp and logout.jsp to be accessed without a valid session

/webroot/cappm/WEB-INF/web.xml
Will be used to handle REST API with custom SSO

/tomcat-app-deploy/webapps/pm/WEB-INF/web.xml
/tomcat-app-deploy/webapps/pm.war/WEB-INF/web.xml
Will be used for pre-15.8 versions to handle the session timeout

Clarity PPM

properties.xml

Clarity PPM Properties file modified to:

  • Enable SSO
  • Include JVM Arguments
  • Configure SSO Error and Logout URLs

Clarity PPM Cognito Service

callback.jsp

JSP file that manages the Login sequence for Clarity PPM Cognito Service

Clarity PPM Cognito Service

logout.jsp

JSP file that manages the Logout sequence for Clarity PPM Cognito Service

Clarity PPM Cognito Service

cognito.properties

Plain text properties file used throughout the Clarity PPM Cognito Service and Cognito User Sync Job

Clarity PPM Cognito Service

jwks.json

Well known JWKS RSA signature downloaded from the Cognito webservice to validate the JWT Token

Clarity PPM Cognito Service

rego-aws-cognito-commons-<version>.jar

Clarity PPM Cognito Service Common Library

Cognito User Sync Job

aws-java-sdk-<version>

Complied AWS SDK

Cognito User Sync Job

rego-aws-cognito-sync-<version>.jar

Cognito User Sync Common Library

Lambda

Cognito-PreSignUp

Pre-Sign Up Trigger to avoid auto identity Provider account creation to ensure only Cognito User Sync Job creates accounts


Anchor
_Toc39234199
_Toc39234199
Clarity PPM Cognito Service

The following steps are intended to be automated by the AWS Architecture, as per section: 7, only the cognito.properties will be modified on a per environment basis. Be aware all services must be stopped before performing this changes and started afterwards accordingly.
Clarity Configuration

  1. Login to the corresponding environment compute instances and navigate to <Clarity Home>
  2. Upload the file: rego-aws-cognito-commons-1.0.0.jar to <Clarity Home>/customlib
  3. Upload the files: callback.jsp, logout.jsp to <Clarity Home>/webroot
  4. Upload the file: cognito.properties to <Clarity Home>/config

Note: For additional details on the content of the file review section: 7.3

  1. Navigate to <Clarity Home>/config and open the file properties.xml with a text editor.

Note: these changes can be done through CSA, but for automation purposes the file will be modified directly.

XPath

properties/applicationServer/applicationServerInstance/@jvmParameters

Description

Stores the path to the cognito.properties file

Comments

Sample:
-Dcom.rego.awscognito.configProperties=F:\CA\Clarity\config\cognito.properties



XPath

properties/applicationServer/@useSSO

Description

Enables Clarity PPM for SSO

Comments

Must be set to: true


XPath

properties/applicationServer/@externalUrl

Description

Defines the deeplink configuration to be used by OOTB notifications.

Comments

Must be sent to the callback.jsp, and provide the encoded URL

Sample:
https://clarity.eastus.regodev.com/niku/callback.jsp?state=
encode(replace(/niku/nu#action:,/niku/app?action=,${entryurl}))


XPath

properties/sso/@errorURL

Description

Defines the login URL when a session error or no valid session is found. Pointing to the callback.jsp

Comments

Must be set to:
https://<Clarity PPM Public DNS>/niku/callback.jsp


XPath

Properties/sso/@logoutURL

Description

Defines the logout URL, pointing to the logout.jsp

Comments

Must be set to:
https://<Clarity PPM Public DNS>/niku/logout.jsp


XPath

Properties/sso/@tokenName

Description

Defines the token name for Clarity PPM traditional SSO method

Comments

Must be set to empty


Web Filter Configuration

  1. Navigate to <Clarity Home>/webroot/WEB-INF, and open the file web.xml with a text editor.
  2. Modify the filter "com.niku.union.web.filter.ClarityContentFilter" to include the callback.jsp and logout.jsp file names separated by comma as shown in the image below

Image Added

  1. Navigate to webroot/cappm/WEB-INF/web.xml, look for filter: RestAuthenticationFilter
  2. Modify the "filter-class", and set the value to:

com.rego.awscognito.commons.security.RegoAuthenticationFilter

Pre 15.8 Web Filter Configuration
Note: The following must only be applied on versions prior to 15.8 this is no longer required, as the login page on timeout is no longer displayed.

  1. Navigate to tomcat-app-deploy/webapps/
  2. Under this folder structure there are 2 web.xml files present:
    1. pm.war/WEB-INF/web.xml
    2. pm/WEB-INF/web.xml


  1. Both files must be modified as follows:
    1. On the filters section add the following filter, as the first filter:

      <filter>
      <description>Rego SSO Redirect Filter</description>
      <display-name>Rego SSO Redirect Filter</display-name>
      <filter-name>RegoSSORedirectFilter</filter-name>
      <filter-class>com.rego.awscognito.commons.security.RegoSSORedirectFilter</filter-class>
      <init-param>
      <param-name>monitoredPaths</param-name>
      <param-value>/pm</param-value>
      </init-param>
      <init-param>
      <param-name>callbackURL</param-name>
      <param-value>/niku/callback.jsp</param-value>
      </init-param>
      <init-param>
      <param-name>stateURLParameter</param-name>
      <param-value>state</param-value>
      </init-param>
      <init-param>
      <param-name>pmLoginURL</param-name>
      <param-value>/pm/js/core/login/login.html</param-value>
      </init-param>
      </filter>


  2. Add the filter mapping below, above the mapping for: httpHeaderSecurityFilter


<filter-mapping>
<filter-name>RegoSSORedirectFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>


Anchor
_Toc39234200
_Toc39234200
Cognito User Sync Job

Refer to Cognito Sync Job v2.docxAt some point we might want to merge both documents, pending feedback

Anchor
_Toc39234201
_Toc39234201
Cognito-PreSignUp

In order to avoid self-service, sign up based off Identity providers, the function below is intended to:

  • Intercept a new Provider account
  • Disable automatic account creation
  • Identify an existing account
  • Attempt and reply with an AWS Cognito Account merge


The function will generate a Cloudwatch log, the following messages can be parsed for monitoring:Pending overall AWS architecture

  • GET_USER_ERROR
  • MERGE_ERROR
  • INVALID_PROVIDER


To deploy create a lambda function per user pool, named: <Organization Name>-SSO-Cognito-PreSignUp, and modify rows 2 and 3 to set:

  • <Region ID>: The region on which the service is located
  • <Pool ID>: The pool ID corresponding to the Organization


const AWS = require("aws-sdk");
const region = "<Region ID>";
const poolID = "<Pool ID> ";
const providerName = "SSO";

…….continued in code repository


Anchor
_Toc39234202
_Toc39234202
Configuration

Anchor
_Toc39234203
_Toc39234203
Cognito

Anchor
_Toc39234204
_Toc39234204
DNS SetupPending overall AWS Architecture


Anchor
_Toc39234205
_Toc39234205
SES SetupPending overall AWS Architecture


Anchor
_Toc39234206
_Toc39234206
Cognito - User Pool Setup

The sections below are intended to provide a detailed explanation and naming convention to setup a User Pool. User Pools will be distributed across the following regions, and are intended to be a 1 to 1 mapping of a Customer to User Pools
*Regions*Pending overall AWS Architecture

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


Naming Convention

  • <Company Name>: the customer's legal entity name
  • <AWS Region>: The AWS region where Cognito is hosted
  • <Service>: Application being served through Cognito, by default it is "ClarityPPM"
  • <Clarity URL>: The clarity hostname in format <protocol>://<hostname>:<port>/


User Pool Creation

  • User Pool Name: <Company Name>

Users and groups

  • One group per environment should be created following the syntax below:

    Group Name

    Tier

    <Company Name>-<Service>-PROD

    Production

    <Company Name>-<Service>-TEST

    Test

    <Company Name>-<Service>-DEV

    Development


    Attributes

  • The following attribute setup must be provided, all customers are required to set the Clarity PPM usernames to match email addresses.

    Setting

    Value

    Username Mapping

    • Option below must be checked

      Image Added

    Case Insensitivity

    • Must be checked
      Image Added

    Required Attributes

    • The following attribute(s) must be checked:
    • email|

      Policies

  • The following policies must be set to provide:
    • A strong password requirement
    • Disable any type of self-service accounts
    • Properly handle first time passwords

Image Added

MFA and verifications

  • The following applies for customers using Cognito's login screen, and not an external IdP:
    • MFA can be Optional or Required
    • Password recovery and attribute verification must be set as follows:

Image Added

  • SMS Message Role NamePending overall AWS architecture

Advanced Security

  • Advanced security must be set up for: Audit Only
  • All monitoring and advanced security metrics will be audited via AWS Cloudwatch
  • The following monitors will be configured for alerting:Pending overall AWS architecture

Message customizations

  • SES Configuration:Pending overall AWS architecture
  • Verification Messages

Image Added

TagsPending overall AWS architecture

Devices

  • This functionality will be disabled, as security is managed of Server to Cognito communication for OAUTH

Image Added

App clients

  • App client naming convention: <Company Name>-<Service>
  • Refresh token and enabled flows

Image Added

Triggers

  • Pre-Sign-Up script must be set to the corresponding lambda function.

Refer to section 6.4

Analytics

  • N/A

App client settings

  • App client must be enabled for all identity providers on a given pool.
  • Callback URL must be set to:

<Clarity URL>/niku/callback.jsp

  • Sign out URL must be set to:

<Clarity URL>/niku/logout.jsp

Domain namePending overall AWS Architecture

UI CustomizationPending to define Moventus color scheme and identity

Resource servers

  • N/A

Identity providers

  • Only the following Identity providers are supported:
    • OpenID Connect
    • SAML
  • Only one identity provider per user pool is supported and must be named: SSO
  • All providers must enable: Enable IdP sign out flow

Attribute mapping

  • A mapping is required for Email, the provider attribute will depend on the provider and must be provided by the customer.
  • The Provider's NameID will be used as the identifier and must match Cognito's and Clarity PPM's username.

Anchor
_Toc39234207
_Toc39234207
Clarity PPM Cognito Service

The properties below are intended to be standardized across all environments and only those related to user pool or customer preferences to be modified. Below a sample properties file and brief description of each property.
Image Added

Anchor
_Toc39234208
_Toc39234208
Cognito User Sync Job

Refer to Cognito Sync Job v2.docxAt some point we might want to merge both documents, pending feedback

Anchor
_Toc39234209
_Toc39234209
Appendix

Anchor
_Toc39234210
_Toc39234210
Technical FAQ

Q: Do we support Deeplinks?
A: Yes, callback.jsp supports relative or full URLs to be passed as an encoded query string, using variable STATE
Q: Are bookmarks supported?
A: Yes, but due to Clarity PPM limitations, if End User does not have a session open
Q: Do we support OWB/MSP?
A: Yes, but they need to use the Scheduler links inside of Clarity PPM, for the file to include a session ID
Q: What will happen when a session time out is triggered?
A: It will follow the Logout.jsp flow
Q: Do we support Clarity PPM Mobile?
A: Yes, they will need to select "Use SSO" and use the URL ending in callback.jsp
Q: What external providers do we support and what is required for SAML?
A: Most common ones are OpenID and SAML. In additional Cognito supports multiple, well known social services.
For SAML, we require the Metadata XML, and a valid mapping for NameID that will match Cognito's User Name.



Anchor
_Toc39234211
_Toc39234211
Helpful Links

Name

Link

Github

https://github.com/Moventus-com/rego-aws-cognito

*Sample Checklists and documents*Pending Moventus Repo

 


Anchor
_Toc39234212
_Toc39234212
Customer Commonly Asked Questions

  1. Our organization currently uses a job/process from Clarity PPM to the CA On-Demand Portal. How will this process work in the new environment?

Anchor
_headingh.1fob9te
Answer: Users are managed by using the Resources page in Clarity PPM or by XOG. Clarity PPM includes the new job to synchronize users from Clarity to AWS Cognito.

  1. Our organization uses the On-Demand portal to process the AD file and process new non-licensed users and agency users that would bypass the portal. How will this be supported?

Answer: In the new service, Administrators can manage (create, update, and delete) licensed users directly within Clarity PPM. Administrators can work with Rego to configure licensed users to access Clarity PPM.

  1. Our partners do not have a user account with our organization. Can they still work in Clarity PPM?

Answer: Yes, the AWS Cognito service will sync all user names, it doesn't have domain or email specific requirements.

  1. We currently use the ODUM tool to provision users into Clarity PPM via the portal. How will we do this in the new environment?


Answer: Clarity PPM administrators can use the XOG utility to make bulk changes to users.

  1. What data will AWS Cognito Store?

Answer: AWS Cognito will store:

    • User details:
      • User name
      • Email address
      • First name
      • Last name
      • Password (Encrypted)

Monitoring RecommendationsPending overall AWS Architecture


Anchor
_Toc39234213
_Toc39234213
Error Codes

The below error codes are logged as per details below, appearance of any of these key words will indicate an issue has occurred.

Component

Location

Keywords

Lambda Function

Cloud Watch Logs

  • GET_USER_ERROR
  • MERGE_ERROR
  • INVALID_PROVIDER

Clarity PPM Cognito Service

<Clarity Home>/logs/app-system.log

Info message prefixes:

  • JWKS_FILE: Related with JWKS file processing
  • SESSION_CREATED: When a session was successfully created
  • SESSION_INVALIDATED: When a session was successfully invalidated
  • SESSION_COOKIE: Related to session cookie verification
  • VALIDATION_SUCCESSFUL: Related to validation steps that are overcome
  • VALIDATION_ERROR: Related to validation steps that are NOT overcome

    Error message prefixes:
  • INVALID_CONFIG_PARAMS: When an error has occurred reading or processing the configuration properties file
  • UNSUCCESSFUL_SESSION: When a session could not be created
  • INVALID_URL: When a URL is not allowed due to its content, host or format
  • INVALID_TOKEN_INFO_RESPONSE: Used when getting wrong response from AWS Cognito services for TOKEN_INFO
  • INVALID_USER_INFO_RESPONSE: Used when getting wrong response from AWS Cognito services for USER_INFO
  • INVALID_TOKEN: Used to indicate a validation error (Structure, signature, content o validity) of the JWT Token
  • UNEXPECTED_ERROR: Used when any other unexpected error condition occurs