We know a Policy Server consists of 2 very important components - Authentication and Authorization.
The following diagram is a typical deployment diagram of a traditional SSO architecture with a Web Policy Agent deployed on a web server, that communicates with a Policy Server on the backend.
How do we achieve the same in AWS world?
1. Authentication will be performed at the Login Page which integrates tightly with Amazon Cognito. (By the way, the pricing for Cognito is quite attractive!)
2. Authorization will be performed at the "Policy Server", which I discussed in my previous post.
In fact, we can do better than that for the Authorization.
In the modern world, API is everywhere. We can have a API Gateway that exposes a isAuthorized API. The "Policy Agent" will "ask" the API Gateway if a user is authorized or not.
In additional, we can implement fine-grained authorization by building entitlement microservices.
As long as we introduce a clean interface for the entitlement microservice, customers can own this piece of work to implement their own business logic and plug-in to the authorization framework anytime.