Creating and managing a SAML identity provider for a user pool (AWS Management Console) - Amazon Cognito

Creating and managing a SAML identity provider for a user pool (AWS Management Console)

You can use the AWS Management Console to create and delete SAML identity providers.

Before you create a SAML identity provider, you will need the SAML metadata document that you get from the third-party identity provider (IdP). For instructions on how to get or generate the required SAML metadata document, see Integrating third-party SAML identity providers with Amazon Cognito user pools.

Original console

To configure a SAML 2.0 identity provider in your user pool

  1. Go to the Amazon Cognito console. If prompted, enter your AWS credentials.

  2. Choose Manage User Pools.

  3. Choose an existing user pool from the list, or create a user pool.

  4. On the left navigation bar, choose Identity providers.

  5. Choose SAML to open the SAML dialog.

  6. Under Metadata document, upload a metadata document from your SAML IdP. You can also enter a URL that points to the metadata document. For more information, see Integrating third-party SAML identity providers with Amazon Cognito user pools.

    Note

    We recommend that you provide the endpoint URL if it is a public endpoint, rather than uploading a file, because this allows Amazon Cognito to refresh the metadata automatically. Typically, metadata refresh happens every 6 hours or before the metadata expires, whichever is earlier.

  7. Enter your SAML Provider name. For more information on SAML naming see Choosing SAML identity provider names.

  8. Enter any optional SAML Identifiers you want to use.

  9. Select Enable IdP sign out flow if you want your user to be logged out from both Amazon Cognito and the SAML IdP when they log out from your user pool..

    Enabling this flow sends a signed log out request to the SAML IdP when the Logout-endpoint is called.

    Configure this endpoint for consuming log out responses from your IdP. This endpoint uses post binding. 

    https://<yourDomainPrefix>.auth.<region>.amazoncognito.com/saml2/logout
    Note

    If this option is selected and your SAML identity provider expects a signed logout request, you will also need to configure the signing certificate provided by Amazon Cognito with your SAML IdP.

    The SAML IdP will process the signed log out request and log your user out from the Amazon Cognito session.

  10. Choose Create provider.

  11. On the Attribute mapping tab, add mappings for at least the required attributes, typically email, as follows:

    1. Enter the SAML attribute name as it appears in the SAML assertion from your identity provider. Your identity provider might offer sample SAML assertions for reference. Some identity providers use simple names, such as email, while others use URL-formatted attribute names similar to: 

      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

    2. Choose the destination user pool attribute from the drop-down list.

  12. Choose Save changes.

  13. Choose Go to summary.

New console

To configure a SAML 2.0 identity provider in your user pool

  1. Go to the Amazon Cognito console. If prompted, enter your AWS credentials.

  2. Choose User Pools.

  3. Choose an existing user pool from the list, or create a user pool.

  4. Choose the Sign-in experience tab. Locate Federated sign-in and choose Add an identity provider.

  5. Choose a SAML identity provider.

  6. Enter Identifiers separated by commas. An identifier tells Amazon Cognito it should check the email address a user enters when they sign in, and then direct them to the provider that corresponds to their domain.

  7. Choose Add sign-out flow if you want Amazon Cognito to send signed sign-out requests to your provider when a user logs out. You must configure your SAML 2.0 identity provider to send sign-out responses to the https://<your Amazon Cognito domain>/saml2/logout endpoint that is created when you configure the hosted UI. The saml2/logout endpoint uses POST binding.

    Note

    If this option is selected and your SAML identity provider expects a signed logout request, you will also need to configure the signing certificate provided by Amazon Cognito with your SAML IdP.

    The SAML IdP will process the signed logout request and sign out your user from the Amazon Cognito session.

  8. Choose a Metadata document source. If your identity provider offers SAML metadata at a public URL, you can choose Metadata document URLand enter that public URL. Otherwise, choose Upload metadata document and select a metadata file you downloaded from your provider earlier.

    Note

    We recommend that you enter a metadata document URL if your provider has a public endpoint, rather than uploading a file; this allows Amazon Cognito to refresh the metadata automatically. Typically, metadata refresh happens every 6 hours or before the metadata expires, whichever is earlier.

  9. Map attributes between your SAML provider and your app to map SAML provider attributes to the user profile in your user pool. Include your user pool required attributes in your attribute map.

    For example, when you choose User pool attribute email, enter the SAML attribute name as it appears in the SAML assertion from your identity provider. If your identity provider offers sample SAML assertions, you can use these sample assertions to help you to find the name. Some identity providers use simple names, such as email, while others use names similar to this: 

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

  10. Choose Create.

Note

If you see InvalidParameterException while creating a SAML identity provider with an HTTPS metadata endpoint URL, for example, "Error retrieving metadata from <metadata endpoint>," make sure that the metadata endpoint has SSL correctly set up and that there is a valid SSL certificate associated with it.

To set up the SAML IdP to add a user pool as a relying party

  • The user pools service provider URN is: urn:amazon:cognito:sp:<user_pool_id>. Amazon Cognito issues the AuthnRequest to SAML IdP to issue a SAML assertion with audience restriction to this URN. Your IdP uses the following POST binding endpoint for the IdP-to-SP response message: https://<domain_prefix>.auth.<region>.amazoncognito.com/saml2/idpresponse.

  • Make sure your SAML IdP populates NameID and any required attributes for your user pool in the SAML assertion. NameID is used for uniquely identifying your SAML federated user in the user pool. Use persistent SAML Name ID format.

To set up the SAML IdP to add a signing certificate

  • To get the certificate containing the public key which will be used by the identity provider to verify the signed logout request, choose Show signing certificate under Active SAML Providers on the SAML dialog under Identity providers on the Federation console page.

You can delete any SAML provider you have set up in your user pool with the Amazon Cognito console.

Original console

To delete a SAML provider

  1. Sign in to the Amazon Cognito console. If prompted, enter your AWS credentials

  2. In the navigation pane, choose Manage your User Pools, and choose the user pool you want to edit.

  3. Choose Identity providers from the Federation console page.

  4. Choose SAML to display the SAML identity providers.

  5. Select the check box next to the provider to be deleted.

  6. Choose Delete provider.

New console

To delete a SAML provider

  1. Sign in to the Amazon Cognito console.

  2. In the navigation pane, choose User Pools, and choose the user pool you want to edit.

  3. Choose the Sign-in experience tab and locate Federated sign-in.

  4. Select the radio button next to the SAML identity providers you wish to delete.

  5. When you are prompted to Delete identity provider, enter the name of the SAML provider to confirm deletion, and then choose Delete.