Hey team, we have silent login occurring within our app using JWKs and we’re trying to spin up another app environment which has a separate cognito user pool. Is there any way of making this silent login work to just one gooddata environment/URL? Apologies for being a bit light on the technical details, any insight on this topic would be appreciated, thanks!

Hi Michael, what exactly do you mean by a specific URL? Where exactly do you wan tthe user to be upon login?

Hey so I’m talking about one GoodData cloud environment being connected to multiple Cognito User Pools. My gut feeling is that’s not possible and so for each separate Cognito User Pool we need a separate GoodData environment. Is that correct? Are we able to pay for additional GoodData environments (orgs)? Right now we have our main environment, with a whitelabeled URL. And we were also provisioned a dev environment, with a URL like orgname-dev.cloud.gooddata.com Is there a limit to how many environments we can have? Or, is there actually a way to connect multiple cognito user pools to a single GoodData environment? Let me know if I’m still not making sense and I can try to explain further

Hello Michael, Thank you very much for the detailed use-case. It certainly gives us a lot to think about for your implementation. However, rather than jumping into 20-30 new environments, we might want to take a different approach. I've consulted this a little bit internally, and a colleague and we have thought that maybe you could try USER GROUPS within GoodData. Are you separating all of your users into different pools so they aren't exposed to any data they should not be? If this is the case, then maybe this can all be avoided. This way you could allow access to only certain workspaces for certain user groups, and if any other security measures are needed you could implement UDF's or WDF's.

@Joseph Heun I’ve sent a DM with additional details

Hello @Michael Gray, Thank you for reaching out to us with your implementation question(s). As far as I can understand, the 20 - 30 new environments / orgs is most probably some kind of expectation for 2 to 3 upcoming years, so currently there is no need to provision all of them. I suppose that this is the first "extra" org needed now. How urgent is the need for this extra environment / org now? The reason I am asking is that you are correct and the embedded visualisations are currently not supported / compatible with the Federated Identity Management. However, it seems that it is currently being worked on by our developers. With that in mind, I would like to ask how are you embedding the visualisations in your app? Are you using the iframe or our UI SDK? Once we know this, I would reach out to them about the current state, options and ETA. Hopefully, we would be able to figure out some temporary solution and / or workaround until the support for embedded visualisations is released.

Hey @Branislav Slávik! Thanks for this additional information, cool to hear that you are currently working on federated identity management for embedded visualizations! You are correct that we would be gradually adding new environments/orgs. We have a dev org already provisioned for us that we will use for a demo that we need to give soon. And we may need to purchase an additional org very soon, I will be in touch with Thiago when we need it. We are ok in the immediate term with the extra dev org that we have. We are embedding the visualizations in our app with the React SDK. We use JWT authentication and for our silent login solution we provision GoodData users whose ID matches the sub-id of their corresponding Cognito user.

Hi @Michael Gray, Thank you for sharing additional details. I reached out to our developers, you can find a summary below. 1.) Your setup:

Our understanding is as follows:

There is a single GD organization used by you, and it works in 3 layered structure.

Your direct customer is something you call an "Enterprise".

Each "Entrerpise" can aggregate multiple "Brands" and each "Brand" might contain multiple "Gyms".

So in rough example, the setup would be something like:

Enterprise 1 - (aka Sport centers in some city or cities)

Brands - Climbing walls, Swimming pools & Fitness centers

and the Gyms for Climbing walls in Location 1, Location 2, etc., for Fitness centers - Location 3, Location 4, etc. or something like that.

2.) Solution(s) In any case, it still seems like something that can be solved by using workspace hierarchies and proper user groups. From the authorisation perspective, we do not care how the user authenticates, for us it is sufficient that the user has proper access rights. So, if you are able to provide each of your end users with a proper JWT (regardless if on our end all the JWTs would go against a single JWK or you would have different JWKs for individual Enterprises/Brands or Gyms) our backend is able to authenticate them. From that point onward it is only about assigning the users to proper user groups/workspaces. The task would be just to set up the workspace/user groups hierarchy accordingly. For example, some "Enterprise 1" user groups - users from these groups are able to access workspaces related to "Enterprise 1" Under that user groups per "Brand" - each user from "Brand A" group can see only workspaces related to this "Brand". And further down user groups per "Gym" - where the users with the least privileges will have access only to workspace related to their particular "Gym". 3.) FIM vs current JWT+JWK setup As far as I understand, in both cases, you would need to implement some kind of logic in your app that would "map" the users with the appropriate user pool. And this would be needed regardless of whether in the end it would be the FIM IdP (user pool name or id) or a particular JWT+JWK. 4.) (Near) Future In terms of FIM supporting embedded visualisations, there is no particular deadline / ETA set yet, but it should be safe to hopefully consider something like "upcoming month or two" as a maximum. With that in mind, this should provide you enough time to do your demo from the dev org and move the necessary changes to the prod one. After that, you would be able to work on the new setup in the dev org and once ready, propagate it to the prod again. Since you have already implemented the JWT+JWK solution, it might be worth to consider keeping this approach and extend it by using an additional user pool. I hope that the above helps and explains a bit more about your current setup and possibilities. If you have any questions, please feel free to ask.

Awesome, thanks for the very helpful and thorough response. It sounds like I can possibly just post the JWKs for both user pools to the same gooddata org and then JWT authentication would work from both of our app environments/user pools. We will test this soon-ish. In the meantime we have the separate org set up fine for our demo. I’ll be in touch if I have further questions but I’m good for now! Really appreciate your help! You guys are great 👍

Thank you for letting us know. I am glad that you found the response helpful. Good luck with the test and yes, feel free to reach out if there is any issue or you need further help. We are very happy that our support met your needs! Your feedback is valuable to us. Could you please share your thoughts and experience here?