We are finalising our (University of Auckland) pipeline for sharing survey data as our in-kind contribution, and we would like to confirm that our authentication configuration is compatible.

Broadly, our workflow is:

1. User initiates login via AWS Cognito hosted UI.
2. Cognito federates authentication to the external IdP (Rubin / Gafaelfawr).
3. Rubin IdP will further delegate to CILogon to authenticate the user against their institutional credentials.
4. After successful authentication, Cognito issues JWTs to the user.

We would appreciate feedback about this. Thank you.

Thanks @pcowan – @rra can you confirm that this workflow will work from Rubin side?

So I am afraid we don’t have any experience with AWS Cognito or how you are using it so I can’t give you a definitive answer. On the face of it, it seems to support OIDC, and gafaelfawr is an OIDC provider (see DMTN-253 so it seems a plausible plan, but you would have to try it to be sure.

Thank you, @rra and @knutago. We’ll proceed with this setup and hope for the best.