Menu
Amazon Cognito
Developer Guide

Step 4. Add Sign-in with a SAML Identity Provider to a User Pool (Optional)

You can enable your app users to sign in through a SAML identity provider (IdP). Whether your users sign in directly or through a third party, all users have a profile in the user pool. Skip this step if you don't want to add sign in through a SAML identity provider.

You need to update your SAML identity provider and configure your user pool. See the documentation for your SAML identity provider for information about how to add your user pool as a relying party or application for your SAML 2.0 identity provider.

You need to provide an assertion consumer endpoint to your SAML identity provider. Configure this endpoint for SAML 2.0 POST binding in your SAML identity provider:

https://<yourDomainPrefix>.auth.<region>.amazoncognito.com/saml2/idpresponse

You can find your domain prefix and the region value for your user pool on the Domain name tab of the Amazon Cognito console.

For some SAML identity providers, you also need to provide the SP urn / Audience URI / SP Entity ID, in the form:

urn:amazon:cognito:sp:<yourUserPoolID>

You can find your user pool ID on the App client settings tab in the Amazon Cognito console.

You should also configure your SAML identity provider to provide attribute values for any attributes that are required in your user pool. Typically, email is a required attribute for user pools. In that case, the SAML identity provider should provide an email value (claim) in the SAML assertion.

Amazon Cognito user pools support SAML 2.0 federation with post-binding endpoints. This eliminates the need for your app to retrieve or parse SAML assertion responses, because the user pool directly receives the SAML response from your identity provider via a user agent.

To configure a SAML 2.0 identity provider in your user pool

  1. Go to the Amazon Cognito console. You might be prompted for your AWS credentials.

  2. Choose Manage your User Pools.

  3. Choose an existing user pool from the list, or create a new user pool.

  4. On the Identity providers tab, create a new provider by uploading or typing a URL for the metadata document from your SAML identity provider. For more information about the metadata document, see Adding SAML Identity Providers for Your User Pool.

  5. On the Attribute mapping tab, add mappings for at least the required attributes, typically email, as follows:

    1. Type the SAML attribute name as it appears in the SAML assertion from your identity provider. If your identity provider offers sample SAML assertions, that might help you to find the name. Some identity providers use simple names, such as email, while others use names similar to this:

      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
    2. Choose the destination user pool attribute from the drop-down list.

  6. Choose Save changes.

  7. Choose Go to summary.

For more information, see Adding SAML Identity Providers for Your User Pool.

Next Step

Step 5. Install an Amazon Cognito User Pools SDK

On this page: