Adding SAML identity providers to a user pool

You can enable your web and mobile app users to sign in through a SAML identity provider (IdP) such as Microsoft Active Directory Federation Services (ADFS), or Shibboleth. You must choose a SAML IdP which supports the SAML 2.0 standard.

With the built-in hosted web UI, Amazon Cognito provides token handling and management for all authenticated users This way, your backend systems can standardize on one set of user pool tokens. You can create and manage a SAML IdP in the AWS Management Console through the AWS CLI or with Amazon Cognito API calls. To get started with the console see Adding sign-in through SAML-based identity providers to a user pool with the AWS Management Console.

Note

Sign-in through a third party (federation) is available in Amazon Cognito user pools. This feature is independent of federation through Amazon Cognito identity pools (federated identities).

You need to update your SAML IdP and configure your user pool to support the provider. See the documentation for your SAML IdP for information about how to add your user pool as a relying party or application for your SAML 2.0 IdP.

Note

Amazon Cognito supports relayState values greater than 80 bytes. While SAML specifications state that the relayState value "Must not exceed 80 bytes in length”, current industry practice often deviates from this behavior. As a consequence, rejecting relayState values greater than 80 bytes will break many standard SAML provider integrations.

You also need to provide an assertion consumer endpoint to your SAML IdP. Configure this endpoint for SAML 2.0 POST binding in your SAML IdP:

https://<yourDomainPrefix>.auth.<region>.amazoncognito.com/saml2/idpresponse

You can find your domain prefix and the region value for your user pool on the Domain name tab of the Amazon Cognito console.

For some SAML IdPs, you also need to provide the SP urn / Audience URI / SP Entity ID, in the form:

urn:amazon:cognito:sp:<yourUserPoolID>

You can find your user pool ID on the General settings tab in the Amazon Cognito console.

You should also configure your SAML IdP to provide attribute values for any attributes that are required in your user pool. For example, email is a typical required attribute for user pools. Thus, the SAML IdP should provide an email value (claim) in the SAML assertion.

Amazon Cognito user pools support SAML 2.0 federation with post-binding endpoints. This eliminates the need for your app to retrieve or parse SAML assertion responses, because the user pool directly receives the SAML response from your IdP through a user agent. Your user pool acts as a service provider (SP) on behalf of your application. Amazon Cognito supports SP-initiated single sign-on (SSO) as described in section 5.1.2 of the SAML V2.0 Technical Overview.

Topics

• SAML user pool IdP authentication flow
• Choosing SAML identity provider names
• Creating and managing a SAML identity provider for a user pool (AWS Management Console)
• Creating and managing a SAML identity provider for a user pool (AWS CLI and AWS API)
• Integrating third-party SAML identity providers with Amazon Cognito user pools
• SAML session initiation in Amazon Cognito user pools