Integrating third-party SAML identity providers with Amazon Cognito user pools - Amazon Cognito

Integrating third-party SAML identity providers with Amazon Cognito user pools

To configure third-party SAML 2.0 identity provider (IdP) solutions to work with federation for Amazon Cognito user pools, you must configure your SAML IdP to redirect to the following URL: https://Your user pool domain/saml2/idpresponse. If your user pool has an Amazon Cognito domain, you can find your user pool domain path in the App integration tab of your user pool in the Amazon Cognito console.

For some SAML IdPs, provide the urn / Audience URI / SP Entity ID, in the form urn:amazon:cognito:sp:<yourUserPoolID>. You can find your user pool ID on the General settings tab in the Amazon Cognito console.

You must also configure your SAML IdP to provide attributes values for any attributes required in your user pool. Typically, email is a required attribute for user pools, in which case the SAML IdP must provide an email value (claim) in the SAML assertion.

Note

Amazon Cognito doesn't accept 4-byte UTF-8 characters (such as 😐 or 𠮷) that your IdP passes as an attribute value. You can encode the character to Base64, pass it as text, and then decode it in your app.

In the following example, the attribute claim will not be accepted:

<saml2:Attribute Name="Name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">😐</saml2:AttributeValue>
</saml2:Attribute>

In contrast to the preceding example, the following attribute claim will be accepted:

<saml2:Attribute Name="Name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">8J+YkA==</saml2:AttributeValue>
</saml2:Attribute>

The following links help you configure third-party SAML 2.0 IdP solutions to work with federation for Amazon Cognito user pools.

Note

Amazon Cognito includes IdP support, so you only need to go to the following provider sites to get the SAML metadata document. You might see further instructions on the provider website about integrating with AWS, but you won't need those.

Solution More information
Microsoft Active Directory Federation Services (AD FS)

You can download the SAML metadata document for your ADFS federation server. The following is an example metadata URL.

https://<yourservername>/FederationMetadata/2007-06/FederationMetadata.xml
Okta

After you configure your Amazon Cognito user pool as an application in Okta, you can find the metadata document in the Application section of the Okta dashboard. Choose your application, select the Sign On tab, and locate Metadata details. The following is an example metadata URL.

https://<prefix>.okta.com/app/<App ID>/sso/saml/metadata
Auth0

You can get the metadata document from the Auth0 dashboard. Choose Clients, then Settings. Choose Show Advanced Settingsand locate SAML Metadata URL. The following is an example metadata URL.

https://<your-domain-prefix>.auth0.com/samlp/metadata/<your-Auth0-client-ID>
Ping Identity Instructions to download PingFederate metadata XML file are at Exporting SAML metadata from PingFederate in the PingIdentity knowledgebase.