CloudFront Authentication

Version 1

So you badly want to leverage CloudFront for your CDN. But you need to protect the content behind auth. You do a search, and most of the solutions involve Lamdba@Edge.

Lambda@Edge is cool and all, but it directly adds to your request latency, and you incur the compute costs of that Lambda for each request.

So I developed a solution called CloudFront Auth, which is an extensible AWS API Gateway, using a Golang Lambda that proxies auth requests from CloudFront to authentication handlers.

The primary authentication handler I wrote to use behind CFA was a CFA-SAML solution to integrate with the corporate-wide SAML login solution.

Works like a champ! SAML auth compute latency and charges only happen when the user’s access cookies are timed our or invalid. They click on the login button you give them in this case, and a few seconds later they have authenticated themselves for access to CloudFront.

Version 2

The API Gateway, Route 53, and more that were used in Version 1…they worked. They reduced latency. They did everything we designed them to do. But it was costly and overkill.

By that I mean it cost as much per month as it does to host this new Version 2 for an entire year.

Lambda@Edge Python Lambda with a payload of a SAML-capable processing script was the fastest, more cost-effective way to add SAML redirect login processing to a Cloudfront Distribution. Turns out latency of the additional processing was negligible.

Continuous improvement!