Skip to main content
Version: 8.1

Single Sign-On via Cognito AWS

Creatio can be integrated with any identity provider that supports the Open ID protocol. You can use Cognito AWS portal as a single sign-on point for all your services, including Creatio. To do this, perform he setup both in Cognito AWS and Creatio.

The following steps are the general procedure required to set up Single Sign-On in Creatio:

  1. Sign up for Cognito AWS.
  2. Perform the setup in Cognito AWS. Read more >>>
  3. Perform the setup in Creatio. Read more >>>

Perform the setup in Cognito AWS

  1. Sign in to Aws.Amazon as root user.

  2. Click App client listCreate app client.

  3. Enter "Creatio" in the App client list field.

  4. Click Client secretGenerate a client secret.

  5. Enter [CreatioURL]/ServiceModel/AuthService.svc/OpenIdCallback in Allowed callback URLs where [CreatioURL] is the URL of your Creatio instance.

  6. Enter [CreatioURL]/ServiceModel/AuthService.svc/OpenIdLogoutCallback in Allowed sign-out URLs where [CreatioURL] is the URL of your Creatio instance.

  7. Select Email, OpenId, Phone, Profile in the OpenID Connect scopes block.

    Fig. 1 OpenID Connect scopes block
    Fig. 1 OpenID Connect scopes block
  8. Click Create app client.

  9. Save the following data from Cognito AWS console to your machine:

Parameter

Parameter Value

Client ID

The ID of the client. Consists of 26 letters and digits. To find this value, open the App integration section → App client list.

Client Secret

The secret of the client. Consists of 52 letters and digits. To find this value, open the App integration section → App clients and analytics block → click the name of your application.

User pool ID

The pool ID of the User. View the value in the settings of a specific user pool.

Region

The region of the user. Matches the "Region" parameter in the "User pool ID" value. For example, User pool ID = cognito-idp.us-east-1.amazonaws.com/us-east-1_123456789, where us-east-1 is the required region. Learn more in Cognito documentation.

Perform the setup in Creatio

note

If you use Creatio in the cloud, the Open ID authorization is enabled out of the box.

To evaluate Open ID authorization in Creatio on-site, enable the "EnableOpenIDAuth" additional feature. Instructions: Change the status of an additional feature for all users (developer documentation).

Follow these steps to configure single sign-on in Creatio:

  1. Click the button to open the System Designer.
  2. Click Single Sign On configuration.
  3. Click . This opens a drop-down menu.
  4. Select "Cognito AWS." This opens the setup page.
  5. Fill out the following parameters:

Parameter

Parameter Value

Client ID

The ID of the client. Consists of 26 letters and digits. To find this value, retrieve it from Cognito AWS in the Client ID parameter.

Client Secret

The secret of the client. Consists of 52 letters and digits. To find this value, retrieve it from CognitoAWS in the Client secret parameter.

URL

The URL of your provider’s website. The URL template is as follows https://[userPoolId].auth.[Region].amazoncognito.com. [Region] and [UserPoolId] are "Region" and "User pool ID" values retrieved from Cognito AWS console, respectively.

Discovery URL

The URL of the identity provider’s single sign-on. The URL template looks like https://cognito-idp.[region].amazonaws.com/[userPoolId]/.well-known/openid-configuration. [Region] and [UserPoolId] are "Region" and "User pool ID" values retrieved from Cognito AWS console, respectively.

End session endpoint

The URL of the identity provider’s single sign-off. The URL template is as follows https://[userPoolId].auth.[region].amazoncognito.com/logout?client_id={client_id}&logout_uri={redirect_uri}&state={state}. [Region] and [UserPoolId] are "Region" and "User pool ID" values retrieved from Cognito AWS console, respectively.

  1. Fill out the provider name to display on the Creatio login page in the Display name field.

  2. Save the changes.

  3. Turn on Just-In-Time Provisioning (optional). This mechanism automatically creates the corresponding Creatio user account with data from the identity provider, such as user group, employee name, contact information, etc. For company employees, select the Create and update company employees data when log in (Just-In-Time Provisioning) checkbox and map the fields. For external users, select the Create and update external users data when log in (Just-In-Time Provisioning) checkbox and map the fields (Fig. 2).

    Fig. 2 Set up Just-In-Time Provisioning
    Fig. 2 Set up Just-In-Time Provisioning

Set up SSO authentication for Mobile Creatio

Mobile Creatio lets you log in using the Single Sign-On technology. To set up SSO authentication for Mobile Creatio, turn on the "Use SSO in the mobile app" ("MobileUseSSO" code) system setting.

If the SSO authentication for Mobile Creatio is turned on, the app displays an identity provider page that includes the login and password fields.


See also

Single Sign-On via ADFS

Just-In-Time User Provisioning