Configuring your third-party SAML identity provider - Amazon Cognito

Configuring your third-party SAML identity provider

To configure third-party SAML 2.0 identity provider (IdP) solutions to work with federation for Amazon Cognito user pools, you must configure your SAML IdP to redirect to the following Assertion Consumer Service (ACS) URL: https://mydomain.us-east-1.amazoncognito.com/saml2/idpresponse. If your user pool has an Amazon Cognito domain, you can find your user pool domain path in the App integration tab of your user pool in the Amazon Cognito console.

Some SAML IdPs require that you provide the urn, also called the audience URI or SP entity ID, in the form urn:amazon:cognito:sp:us-east-1_EXAMPLE. You can find your user pool ID under User pool overview in the Amazon Cognito console.

You must also configure your SAML IdP to provide values for any attributes that you designated as required attributes in your user pool. Typically, email is a required attribute for user pools, in which case the SAML IdP must provide some form of an email claim in their SAML assertion, and you must map the claim to the attribute for that provider.

The following configuration information for third-party SAML 2.0 IdP solutions is a good place to start setting up federation with Amazon Cognito user pools. For the most current information, consult your provider's documentation directly.

To sign SAML requests, you must configure your IdP to trust requests signed by your user pool signing certificate. To accept encrypted SAML responses, you must configure your IdP to encrypt all SAML responses to your user pool. Your provider will have documentation about configuring these features. For an example from Microsoft, see Configure Microsoft Entra SAML token encryption.

Note

Amazon Cognito only requires your identity provider metadata document. Your provider might offer configuration information for AWS account federation with SAML 2.0; this information isn't relevant to Amazon Cognito integration.