SAML session initiation in Amazon Cognito user pools - Amazon Cognito
Using IdP-initiated SAML SSO

SAML session initiation in Amazon Cognito user pools

Amazon Cognito supports service provider-initiated (SP-initiated) single sign-on (SSO) and IdP-initiated SSO. As a best security practice, implement SP-initiated SSO in your user pool. Section 5.1.2 of the SAML V2.0 Technical Overview describes SP-initiated SSO. Amazon Cognito is the identity provider (IdP) to your app. The app is the service provider (SP) that retrieves tokens for authenticated users. However, when you use a third-party IdP to authenticate users, Amazon Cognito is the SP. When your SAML 2.0 users authenticate with an SP-initiated flow, they must always first make a request to Amazon Cognito and redirect to the IdP for authentication.

For some enterprise use cases, access to internal applications starts at a bookmark on a dashboard hosted by the enterprise IdP. When a user selects a bookmark, the IdP generates a SAML response and sends it to the SP to authenticate the user with the application.

You can configure a SAML IdP in your user pool to support IdP-initiated SSO. When you support IdP-initiated authentication, Amazon Cognito can't verify that it has solicited the SAML response that it receives because Amazon Cognito doesn't initiate authentication with a SAML request. In SP-initiated SSO, Amazon Cognito sets state parameters that validate a SAML response against the original request. With SP-initiated sign-in you can also guard against cross-site request forgery (CSRF).

For an example of how to build SP-initiated SAML in an environment where you don't want your users to interact with the user pool hosted UI, see Example scenario: bookmark Amazon Cognito apps in an enterprise dashboard.

Using IdP-initiated SAML SSO

When you configure your identity provider for IdP-initiated SAML 2.0 sign-in, you can present SAML assertions to the saml2/idpresponse endpoint in your user pool domain without the need to initiate the session at the Authorize endpoint. A user pool with this configuration accepts IdP-initiated SAML assertions from a user pool external identity provider that the requested app client supports. The following steps describe the overall process to configure and sign in with an IdP-initiated SAML 2.0 provider.

  1. Create or designate a user pool and app client.

  2. Create a SAML 2.0 IdP in your user pool.

  3. Configure your IdP to support IdP initiation. IdP-initiated SAML introduces security considerations that other SSO providers aren’t subject to. Because of this, you can’t add non-SAML IdPs, including the user pool itself, to any app client that uses a SAML provider with IdP-initiated sign-in.

  4. Associate your IdP-initiated SAML provider with an app client in your user pool.

  5. Direct your user to the sign-in page for your SAML IdP and retrieve a SAML assertion.

  6. Direct your user to your user pool saml2/idpresponse endpoint with their SAML assertion.

  7. Receive JSON web tokens (JWTs).

To accept unsolicited SAML assertions in your user pool, you must consider its effect on your app security. Request spoofing and CSRF attempts are likely when you accept IdP-initiated requests. Although your user pool can't verify an IdP-initiated sign-in session, Amazon Cognito validates your request parameters and SAML assertions.

Additionally, your SAML assertion must not contain an InResponseTo claim and must have been issued within the previous 6 minutes.

You must submit requests with IdP-initiated SAML to your /saml2/idpresponse. For SP-initiated and hosted UI authorization requests, you must provide parameters that identify your requested app client, scopes, redirect URI, and other details as query string parameters in HTTP GET requests. For IdP-initiated SAML assertions, however, the details of your request must be formatted as a RelayState parameter in the body of an HTTP POST request. The request body must also contain your SAML assertion as a SAMLResponse parameter.

The following is an example request for an IdP-initiated SAML provider.

POST /saml2/idpresponse HTTP/1.1
User-Agent: USER_AGENT
Accept: */*
Host: example.auth.us-east-1.amazoncognito.com
Content-Type: application/x-www-form-urlencoded

SAMLResponse=[Base64-encoded SAML assertion]&RelayState=identity_provider%3DMySAMLIdP%26client_id%3D1example23456789%26redirect_uri%3Dhttps%3A%2F%2Fwww.example.com%26response_type%3Dcode%26scope%3Demail%2Bopenid%2Bphone

HTTP/1.1 302 Found
Date: Wed, 06 Dec 2023 00:15:29 GMT
Content-Length: 0
x-amz-cognito-request-id: 8aba6eb5-fb54-4bc6-9368-c3878434f0fb
Location: https://www.example.com?code=[Authorization code]
AWS Management Console
To configure an IdP for IdP-initiated SAML

  1. Create a user pool, app client, and SAML identity provider.

  2. Disassociate all social and OIDC identity providers from your app client, if any are associated.

  3. Navigate to the Sign-in experience tab of your user pool.

  4. Under Federated identity provider sign-in, edit or add a SAML provider.

  5. Under IdP-initiated SAML sign-in, choose Accept SP-initiated and and IdP-initiated SAML assertions.

  6. Choose Save changes.

API/CLI

To configure an IdP for IdP-initiated SAML

Configure IdP-initiated SAML with the IDPInit parameter in a CreateIdentityProvider or UpdateIdentityProvider API request. The following is an example ProviderDetails of an IdP that supports IdP-initiated SAML.

"ProviderDetails": { 
      "MetadataURL" : "https://myidp.example.com/saml/metadata",
      "IDPSignout" : "true",
      "RequestSigningAlgorithm" : "rsa-sha256",
      "EncryptedResponses" : "true",
      "IDPInit" : "true"
}