Amazon Cognito
Developer Guide

Creating and Managing a SAML Identity Provider for a User Pool (AWS CLI and AWS API)

Use the following commands to create and manage a SAML provider.

To create an identity provider and upload a metadata document

  • AWS CLI: aws cognito-idp create-identity-provider

    Example with metadata file: aws cognito-idp create-identity-provider --user-pool-id <user_pool_id> --provider-name=SAML_provider_1 --provider-type SAML --provider-details file:///details.json --attribute-mapping email=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

    Where details.json contains:

    { "MetadataFile": "<SAML metadata XML>" }

    Note

    If the <SAML metadata XML> contains any quotations ("), they must be escaped (\").

    Example with metadata URL: aws cognito-idp create-identity-provider --user-pool-id <user_pool_id> --provider-name=SAML_provider_1 --provider-type SAML --provider-details MetadataURL=<metadata_url> --attribute-mapping email=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

  • AWS API: CreateIdentityProvider

To upload a new metadata document for an identity provider

  • AWS CLI: aws cognito-idp update-identity-provider

    Example with metadata file: aws cognito-idp update-identity-provider --user-pool-id <user_pool_id> --provider-name=SAML_provider_1 --provider-details file:///details.json --attribute-mapping email=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

    Where details.json contains:

    { "MetadataFile": "<SAML metadata XML>" }

    Note

    If the <SAML metadata XML> contains any quotations ("), they must be escaped (\").

    Example with metadata URL: aws cognito-idp update-identity-provider --user-pool-id <user_pool_id> --provider-name=SAML_provider_1 --provider-details MetadataURL=<metadata_url> --attribute-mapping email=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

  • AWS API: UpdateIdentityProvider

To get information about a specific identity provider

  • AWS CLI: aws cognito-idp describe-identity-provider

    aws cognito-idp describe-identity-provider --user-pool-id <user_pool_id> --provider-name=SAML_provider_1

  • AWS API: DescribeIdentityProvider

To list information about all identity providers

  • AWS CLI: aws cognito-idp list-identity-providers

    Example: aws cognito-idp list-identity-providers --user-pool-id <user_pool_id> --max-results 3

  • AWS API: ListIdentityProviders

To delete an IdP

  • AWS CLI: aws cognito-idp delete-identity-provider

    aws cognito-idp delete-identity-provider --user-pool-id <user_pool_id> --provider-name=SAML_provider_1

  • AWS API: DeleteIdentityProvider