Configuring your third-party SAML identity provider

When you want to add a SAML identity provider (IdP) to your user pool, you must make some configuration updates in the management interface of your IdP. This section describes how to format the values that you must provide to your IdP. You can also learn about how to retrieve the static or active-URL metadata document that identifies the IdP and its SAML claims to your user pool.

To configure third-party SAML 2.0 identity provider (IdP) solutions to work with federation for Amazon Cognito user pools, you must configure your SAML IdP to redirect to the following Assertion Consumer Service (ACS) URL: https://mydomain.us-east-1.amazoncognito.com/saml2/idpresponse. If your user pool has an Amazon Cognito domain, you can find your user pool domain path in the App integration tab of your user pool in the Amazon Cognito console.

Some SAML IdPs require that you provide the urn, also called the audience URI or SP entity ID, in the form urn:amazon:cognito:sp:us-east-1_EXAMPLE. You can find your user pool ID under User pool overview in the Amazon Cognito console.

You must also configure your SAML IdP to provide values for any attributes that you designated as required attributes in your user pool. Typically, email is a required attribute for user pools, in which case the SAML IdP must provide some form of an email claim in their SAML assertion, and you must map the claim to the attribute for that provider.

The following configuration information for third-party SAML 2.0 IdP solutions is a good place to start setting up federation with Amazon Cognito user pools. For the most current information, consult your provider's documentation directly.

To sign SAML requests, you must configure your IdP to trust requests signed by your user pool signing certificate. To accept encrypted SAML responses, you must configure your IdP to encrypt all SAML responses to your user pool. Your provider will have documentation about configuring these features. For an example from Microsoft, see Configure Microsoft Entra SAML token encryption.

Note

Amazon Cognito only requires your identity provider metadata document. Your provider might offer configuration information for AWS account federation with SAML 2.0; this information isn't relevant to Amazon Cognito integration.

Solution	More information
Microsoft Active Directory Federation Services (AD FS)	Federation Metadata Explorer
Okta	How to Download the IdP Metadata and SAML Signing Certificates for a SAML App Integration
Auth0	Configure Auth0 as SAML Identity Provider
Ping Identity (PingFederate)	Exporting SAML metadata from PingFederate
JumpCloud	SAML Configuration Notes
SecureAuth	SAML application integration

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Things to know

Add a SAML provider