Investigate using Cognito to integrate with identity providers. This would be a future replacement to use hosting our own Shibboleth SP. If we do not use Cognito we will need to host a ShibSP somewhere.
can control access to AWS resources via user pool/IAM?
Cognito identity pool ids could be used to allow users to call openSearch (directly from the React UI instead of transiting through the Rails app). It could, if we structure the indices properly, also facilitate fine grained access to openSearch records (e.g. only allowing the user to search their Org's content)
Cons
still need to manage InCommon metadata as we will continue as a federated SP to connect with IdPs
may not support non-federated institutions as well (need more research on this)
less visibility into backend which may negatively impact troubleshooting
This will need to be a 2 phase process.
1st: Test the validity of using Cognito as a replacement for hosting a Shibboleth Service Provider (SP)
Figure out how to handle/replace the discovery service (how will user's select their SSO provider?)
Generate SAML SP metadata see this tool and send to UCOP
Add UCOP IdP EntityID to the Org record in Dynamo
Test
2nd: Setup InCommon (Assuming that the 1st phase worked and we want to pursue this route AND that we have a domain name)
Investigate using Cognito to integrate with identity providers. This would be a future replacement to use hosting our own Shibboleth SP. If we do not use Cognito we will need to host a ShibSP somewhere.
https://shibboleth.atlassian.net/wiki/spaces/KB/pages/1429930512/AmazonCognito
Pros
Cons
This will need to be a 2 phase process.
1st: Test the validity of using Cognito as a replacement for hosting a Shibboleth Service Provider (SP)
2nd: Setup InCommon (Assuming that the 1st phase worked and we want to pursue this route AND that we have a domain name)