Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Configuring your third-party SAML identity provider

PDF
Focus mode
Configuring your third-party SAML identity provider - Amazon Cognito

When you want to add a SAML identity provider (IdP) to your user pool, you must make some configuration updates in the management interface of your IdP. This section describes how to format the values that you must provide to your IdP. You can also learn about how to retrieve the static or active-URL metadata document that identifies the IdP and its SAML claims to your user pool.

To configure third-party SAML 2.0 identity provider (IdP) solutions to work with federation for Amazon Cognito user pools, you must configure your SAML IdP to redirect to the following Assertion Consumer Service (ACS) URL: https://mydomain.us-east-1.amazoncognito.com/saml2/idpresponse. If your user pool has an Amazon Cognito domain, you can find your user pool domain path in the Domain menu of your user pool in the Amazon Cognito console.

Some SAML IdPs require that you provide the urn, also called the audience URI or SP entity ID, in the form urn:amazon:cognito:sp:us-east-1_EXAMPLE. You can find your user pool ID under User pool overview in the Amazon Cognito console.

You must also configure your SAML IdP to provide values for any attributes that you designated as required attributes in your user pool. Typically, email is a required attribute for user pools, in which case the SAML IdP must provide some form of an email claim in their SAML assertion, and you must map the claim to the attribute for that provider.

The following configuration information for third-party SAML 2.0 IdP solutions is a good place to start setting up federation with Amazon Cognito user pools. For the most current information, consult your provider's documentation directly.

To sign SAML requests, you must configure your IdP to trust requests signed by your user pool signing certificate. To accept encrypted SAML responses, you must configure your IdP to encrypt all SAML responses to your user pool. Your provider will have documentation about configuring these features. For an example from Microsoft, see Configure Microsoft Entra SAML token encryption.

Note

Amazon Cognito only requires your identity provider metadata document. Your provider might also offer customized configuration information for SAML 2.0 federation with IAM or AWS IAM Identity Center. To learn how to set up Amazon Cognito integration, look for general directions for retrieving the metadata document and manage the rest of the configuration in your user pool.

Solution More information
Microsoft Entra ID Federation Metadata
Okta How to Download the IdP Metadata and SAML Signing Certificates for a SAML App Integration
Auth0 Configure Auth0 as SAML Identity Provider
Ping Identity (PingFederate) Exporting SAML metadata from PingFederate
JumpCloud SAML Configuration Notes
SecureAuth SAML application integration

Related resources

Amazon Cognito user pools API Reference
AWS CLI commands for Amazon Cognito user pools
SDKs & Tools 

Related resources

Amazon Cognito user pools API Reference
AWS CLI commands for Amazon Cognito user pools
SDKs & Tools 
PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.