Legacy applications often present unique challenges when it comes to security. They are built on lagging architectures and technologies and versions that may not support modern security practices, making them vulnerable to threats. Our team has been undertaking the modernisation of a legacy client application – a multi-tenant SaaS platform that had not undergone significant architectural updates in over a decade.
Through Well-Architected Reviews (WARs) and penetration testing we were able to feed in a prioritised backlog into the product roadmap and identify areas that not only improve the security of the solution but also support the feature roadmap and improve user experience. This blog outlines the process undertaken to uplift Identity and Authentication management, highlighting the challenges faced, the solutions implemented and the successful outcomes achieved.
The Challenge:
With a solution that is 15 years old there will often be internal application architecture that lags where it needs to be.
At the time of initial development, an authentication library/framework called Jasig CAS (Central Authentication Service) was commonly used to manage user sign-on. It was an open source product that was easily integrated into Java web applications. CAS allows for many pluggable backends to manage authentication. LDAP was chosen to be used for this application.
In essence, CAS + LDAP was used for Authentication, and LDAP was used directly by the application for Authorisation.
The following points all contributed to the requirement to change this approach:
- CAS was several major versions behind in the provider release process, and upgrading wouldn’t be straightforward.
- LDAP was run directly on a EC2 instance was not highly available
- The use of LDAP as an authorisation database limited our options to provide more advanced authorization options (switching seamlessly between tenants, advanced role/permission customisations)
- The CAS version did not support OAuth2, which was deemed a requirement for providing a modern data/integration platform (APIs authenticated via an access_token)
- The CAS version did not offer self-service forgot password recovery, and this led to numerous support tickets and issues, nor did it support MFA
The Solution: Migrating to AWS Cognito
Given these constraints, we evaluated two options: upgrading to the latest version of CAS or adopting an external Identity Provider (IDP). We considered both Auth0 and AWS Cognito as external IDPs. Whilst we use Auth0 for other applications, the multi-tenant nature of this application would have pushed it into the Enterprise licensing category and was deemed overkill for the application.
After careful consideration, AWS Cognito was chosen for its robust features and seamless integration capabilities. AWS Cognito offered:
- A hosted login page customizable with branded themes
- Self-service password recovery, reducing support overhead
- MFA support via SMS or Authenticator app
- Federation with other identity providers, enabling SSO for corporate logins
- OAuth2/OIDC compliance for secure API authentication
- Scalability and reliability, backed by AWS’s SLA of 99.9% uptime
- Cost efficiency, especially for standard users
Implementation Process:
The transition involved several key steps to enhance both security and user experience. We began with a Proof of Concept (POC) to validate the integration between AWS Cognito, Spring Security, and Microsoft Entra ID. The successful POC confirmed our approach for authentication.
Recognising the benefits of housing authorisation directly in the client database, we designed a system to associate users with multiple Tenants, Tenant Groups, and Portfolios. This was a significant improvement over the previous LDAP implementation which only supported single tenant associations. The steps to build the authorisation database included:
- Listing all current use cases supported by CAS and LDAP.
- Identifying new requirements, such as accessing multiple remnants with a single login and SSO via federated identities.
- Designing a database schema to support these use cases.
- Developing Java classes and services for the new authentication schema, to be used by two applications replacing CAS.
Integrating the new authentication scheme faced initial challenges, particularly with OAuth2 compatibility with the older version of Spring Security. We upgraded the application libraries to the latest version of Spring Security, simplifying the OAuth2 implementation. However, the two of the core applications that formed the SAAS offering had different persistence layers, which prevented the use of a shared library that could handle the authorisation..
To resolve this, we hosted the authorization functionality as a standalone microservice/API on AWS ECS Fargate, leveraging the latest frameworks for improved productivity and security. The applications communicated with the API via AWS Service Discovery and authenticated API requests with a shared private key. We also upgraded processes to utilise server-to-server authentication with access tokens.
For deploying Cognito:
- We deployed Cognito UserPools using AWS CDK (download Sample CDK Code below).
- Configured password policies to meet modern standards.
- Utilised AWS Lambda to handle email with our branded templates and mail server.
- Configured AWS SNS with a dedicated/branded SenderID for future MFA/SMS use.
- Customise the login page with CSS to match our branding.
By centralising authorisation and streamlining user login experiences, these enhancements significantly uplifted the security and user experience of the platform.
Key Outcomes:
The migration to AWS Cognito and the new authentication microservice yielded several positive outcomes:
- Enhanced Security: With MFA and OAuth2, the platform is now significantly more secure. We also implemented role-based security and enforced proper password complexity controls.
- Improved User Experience: Users benefit from a single login across multiple tenants and self-service password recovery.
- Operational Efficiency: The platform’s reliability has improved, and support ticket volumes have decreased.
- Cost Neutrality: While the running costs remain similar, the new setup eliminates the need for dedicated CAS and LDAP instances.
Additionally, the integration of AWS Cognito has streamlined user management. Users can now reset their passwords themselves, reducing the administrative burden. We customised Cognito to send branded emails, ensuring a seamless user experience. Future phases will include developing a user administration console and introducing MFA as an optional or required feature.
As in all applications, the work continues, but this improvement has significantly changed the foundations upon which both security and user experience can be enhanced.
