SAML session initiation in Amazon Cognito user pools
Amazon Cognito supports service provider-initiated (SP-initiated) single sign-on (SSO)
and IdP-initiated SSO. As a best security practice, implement SP-initiated SSO in
your user pool. Section 5.1.2 of the SAML V2.0 Technical Overview
For some enterprise use cases, access to internal applications starts at a bookmark on a dashboard hosted by the enterprise IdP. When a user selects a bookmark, the IdP generates a SAML response and sends it to the SP to authenticate the user with the application.
You can configure a SAML IdP in your user pool to support IdP-initiated SSO. When you support IdP-initiated authentication, Amazon Cognito can't verify that it has solicited the SAML response that it receives because Amazon Cognito doesn't initiate authentication with a SAML request. In SP-initiated SSO, Amazon Cognito sets state parameters that validate a SAML response against the original request. With SP-initiated sign-in you can also guard against cross-site request forgery (CSRF).
For an example of how to build SP-initiated SAML in an environment where you don't want your users to interact with the user pool hosted UI, see Example scenario: bookmark Amazon Cognito apps in an enterprise dashboard.