Skip to main content
  1. Chyron
  2. AXIS
  3. Guides
  4. SSO Cognito Implementation

01: Introduction

1.1 What Is Single Sign-On (SSO)?

Single Sign-On (SSO) allows users to log in once using a single set of credentials and access multiple systems without needing to re-enter their login information. In Axis, SSO simplifies user access while maintaining high security standards.

  • Authentication: Confirms the identity of a user ("who you are"). This process is now handled exclusively by AWS Cognito.
  • Authorization: Determines what the authenticated user can access ("what you can do"). Authorization remains managed by Axis based on user roles and permissions.

SSO in Axis integrates both AWS Cognito login and external Identity Providers (IdPs), giving users the flexibility to choose their preferred login method.

1.2 What Is AWS Cognito?

AWS Cognito is a managed authentication service provided by Amazon Web Services (AWS). It securely handles user login, manages user accounts, and simplifies access control. Cognito supports traditional username/password logins, Single Sign-On (SSO) via external providers (Google, Okta, Microsoft Entra ID), and Multi-Factor Authentication (MFA).

Key Terms:

  • User Pool: A secure user directory where Cognito stores user accounts.
  • Identity Providers (IdPs): External authentication providers like Google, Okta, Microsoft Entra ID.
  • Tokens: Secure digital identifiers verifying user sessions.
  • MFA (Multi-Factor Authentication): Additional security step, such as an SMS code or authenticator app verification.

1.3 Purpose of Implementing Cognito for Axis

AWS Cognito has been implemented in Axis to achieve:

  • Enhanced Security:
    • Stronger password requirements enforced.
    • Email address becomes the primary and sole user identifier, replacing usernames.
    • All authentication and security-related communications (reset your password, your password has been updated) are sent securely via email.
  • Simplified Login (SSO):
    • Single Sign-On integration allows users to log in once and access Axis seamlessly.
    • Familiar login methods provided via external providers (Google, Okta, Microsoft Entra ID).
  • Improved User Management:
    • Passwords are no longer stored or managed by Axis.
    • User creation processes simplified, eliminating manual password management by admins.

1.4 What Has Changed in Axis?

The introduction of AWS Cognito significantly changes how user management and authentication function within Axis:

  • The Axis login page has been redesigned to use a custom login flow that integrates directly with AWS Cognito while retaining all authentication and security benefits.
  • Users no longer manually set or manage passwords within Axis; passwords are auto-generated and reset through the Axis “Forgot Password” functionality.
  • Email is now the only valid and unique login identifier, replacing Username
  • User accounts created in Axis synchronize directly with AWS Cognito.
  • Authentication (login verification) and logout processes are managed through Axis by using AWS Cognito APIs.

1.5 Login Methods in Axis

Axis supports two login methods post-integration:

Axis email/password (powered by AWS Cognito)

  • Users log in directly via credentials managed by Cognito.
  • Passwords are auto-generated upon user creation and can be reset through the Axis “Forgot Password” functionality (powered by AWS Cognito).
  • Axis does not directly manage passwords; Cognito handles all authentication securely.

External identity providers (IdPs: Google, Okta, Microsoft Entra ID)

Users authenticate through external providers, eliminating the need for a separate Axis-specific password.

  • User email addresses linked with IdPs serve as primary identifiers.
  • Cognito verifies authentication from IdPs and links it seamlessly with Axis.

Important notes:

  • Users logging in exclusively via external providers will not have or require Cognito-managed passwords.
  • Admins cannot set or reset passwords for users authenticating through external IdPs.
  • User roles and permissions within Axis are managed independently of the chosen authentication method.

1.6 Axis Session Duration and Logout

  • Axis sessions remain valid for 60 minutes of inactivity.
  • After session expiry or logout, users are redirected to the Axis login page.

1.7 Camio - Axis Integration 

The existing Camio - Axis integration workflow has not been affected by the implementation of SSO Cognito. 

Users accessing Axis from within Camio will continue to work exactly as before, without any change to their experience. The integration relies on a separate, secure internal login mechanism that does not involve the Cognito integration. 

Español