Cognito Shibboleth integration

[briri]

Investigate using Cognito to integrate with identity providers. This would be a future replacement to use hosting our own Shibboleth SP. If we do not use Cognito we will need to host a ShibSP somewhere.

https://shibboleth.atlassian.net/wiki/spaces/KB/pages/1429930512/AmazonCognito

Pros

• Removes Apache
• can control access to AWS resources via user pool/IAM?
• Cognito identity pool ids could be used to allow users to call openSearch (directly from the React UI instead of transiting through the Rails app). It could, if we structure the indices properly, also facilitate fine grained access to openSearch records (e.g. only allowing the user to search their Org's content)

Cons

• still need to manage InCommon metadata as we will continue as a federated SP to connect with IdPs
• may not support non-federated institutions as well (need more research on this)
• less visibility into backend which may negatively impact troubleshooting

This will need to be a 2 phase process.

• 1st: Test the validity of using Cognito as a replacement for hosting a Shibboleth Service Provider (SP)

  • Figure out how to handle/replace the discovery service (how will user's select their SSO provider?)
  • Generate SAML SP metadata see this tool and send to UCOP
  • Add UCOP IdP EntityID to the Org record in Dynamo
  • Test

• 2nd: Setup InCommon (Assuming that the 1st phase worked and we want to pursue this route AND that we have a domain name)

  • Register the new system with InCommon
  • Test

[briri]

We are sticking with Shibboleth SP