Serverless Managed Identity and Authorisation for SLA Reporting

David Banks, 27 August 2021

Country: Australia

The Scenario

A state government agency operates a portal to display SLA reporting to its industry partners.

The public-facing portal required a robust security solution providing authentication and authorisation. The users of this system come from both external parties and the customers’ own staff.

A key focus of the solution was to leverage fully managed services as much as possible for the storage and operation of an identity store, so that it can be proactively maintained and protected from abuse.

Advanced features like Multi-Factor authentication, credential reset workflows, and more, were required to ensure the solution for identity was as self-service as possible for the end user, and not adding additional administrative burden to the application management team.

Akkodis architected, implemented and manages the solution for our customer as a Managed Services Provider. The solution was implemented in early 2021.

The Solution

Akkodis leveraged Amazon Cognito, providing both a local user pool for external parties and SAML federation back to Active Directory Federation server to our customer’s Active Directory Domain.

With the application deployed into a modern web server, it established a trust relationship to the Cognito Identity Provider, thus resting the responsibility for all authentication into one fully-managed solution.

Here is how the solution works:

  1. The viewer’s web browser is redirected to Amazon Cognito custom UI page to sign up and authenticate.
  2. After authentication, Cognito generates and cryptographically signs a JWT then responds with a redirect containing the JWT embedded in the URL.
  3. The viewer’s web browser extracts JWT from the URL and makes a request to private content (private/* path), adding Authorization request header with JWT.
  4. Amazon CloudFront routes the request to the nearest AWS edge location. The CloudFront distribution’s private behaviour is configured to launch a Lambda@Edge function on ViewerRequest event.
  5. Lambda@Edge decodes the JWT and checks if the user belongs to the correct Cognito User Pool. It also verifies the cryptographic signature using the public RSA key for Cognito User Pool. Crypto verification ensures that JWT was created by the trusted party.
  6. After passing all of the verification steps, Lambda@Edge strips out the Authorization header and allows the request to pass through to designated origin for CloudFront. In this case, the origin is the private content Amazon S3 bucket.
  7. After receiving response from the origin S3 bucket, a JSON. CloudFront sends the response back to the browser. The browser displays the data from the returned JSON file. The JSON file is then read and then looped through retrieving Image files listed within the JSON. As the Image cannot be directly accessed the files are converted to dynamic images that are then displayed. These new images are only valid for this browser session.

The Outcome

As the configured solution leveraged fully managed services, the responsibility and effort to perform critical security patching to these components is done for our customer without them needing to take any action themselves.

Furthermore, the scalability of the solution matches the usage pattern. As a Serverless pattern, the cost is also minimal. There are no operating systems to license, patch or upgrade over time, further reducing the TCO of the solution.

This then frees up the Akkodis manage services teams to concentrate on the business logic, metrics and observability of the system.