Adding SAML identity providers to a user pool
You can enable your web and mobile app users to sign in through a SAML identity
provider (IdP) such as Microsoft Active
Directory Federation Services (ADFS)
With the built-in hosted web UI, Amazon Cognito provides token handling and management for all authenticated users This way, your backend systems can standardize on one set of user pool tokens. You can create and manage a SAML IdP in the AWS Management Console through the AWS CLI or with Amazon Cognito API calls. To get started with the console see Adding sign-in through SAML-based identity providers to a user pool with the AWS Management Console.

Sign-in through a third party (federation) is available in Amazon Cognito user pools. This feature is independent of federation through Amazon Cognito identity pools (federated identities).
You need to update your SAML IdP and configure your user pool to support the provider. See the documentation for your SAML IdP for information about how to add your user pool as a relying party or application for your SAML 2.0 IdP.
Amazon Cognito supports relayState
values greater than 80 bytes. While SAML
specifications state that the relayState
value "Must not exceed 80
bytes in length”, current industry practice often deviates from this behavior. As a
consequence, rejecting relayState
values greater than 80 bytes will
break many standard SAML provider integrations.
You also need to provide an assertion consumer endpoint to your SAML IdP. Configure this endpoint for SAML 2.0 POST binding in your SAML IdP:
https://
<yourDomainPrefix>
.auth.<region>
.amazoncognito.com/saml2/idpresponse
You can find your domain prefix and the region value for your user pool on the
Domain name tab of the Amazon Cognito console
For some SAML IdPs, you also need to provide the SP urn
/ Audience URI /
SP Entity ID, in the form:
urn:amazon:cognito:sp:
<yourUserPoolID>
You can find your user pool ID on the General settings tab in the
Amazon Cognito console
You should also configure your SAML IdP to provide attribute values for any attributes
that are required in your user pool. For example, email
is a typical
required attribute for user pools. Thus, the SAML IdP should provide an
email
value (claim) in the SAML assertion.
Amazon Cognito user pools support SAML 2.0 federation with post-binding endpoints. This
eliminates the need for your app to retrieve or parse SAML assertion responses, because
the user pool directly receives the SAML response from your IdP through a user agent.
Your user pool acts as a service provider (SP) on behalf of your application. Amazon Cognito
supports SP-initiated single sign-on (SSO) as described in section 5.1.2 of the SAML V2.0 Technical Overview
Topics
- SAML user pool IdP authentication flow
- Choosing SAML identity provider names
- Creating and managing a SAML identity provider for a user pool (AWS Management Console)
- Creating and managing a SAML identity provider for a user pool (AWS CLI and AWS API)
- Integrating third-party SAML identity providers with Amazon Cognito user pools
- SAML session initiation in Amazon Cognito user pools