How to add Azure AD as AWS Cognito Federated Identity Provider
You are reading this post because you may be building apps using SSO Terminology . This post is going to save you a lot of time if you want to integrate AD login into your Cognito User Pool.
- Go to Azure Active Directory->Enterprise Application.
2. Add New application,
3. Select Non-gallery application and Create.
4. After application created, add Users and groups to application.
5. Go to Single sign-on , download Federation Metadata XML in SAML Signing Certificate section.
6. Go to AWS Console -> Cognito Pool Setting page -> Identity Providers, Select SAML
7. Upload the XML metadata downloaded from Azure at step 5 , then type in provider name and Click Create Provider
Select Enable IdP sign out flow if you want your user to be logged out from the SAML IdP when logging out from Amazon Cognito.
Enabling this flow sends a signed logout request to the SAML IdP when the LOGOUT Endpoint is called.
Configure this endpoint for consuming logout responses from your IdP. This endpoint uses post binding.
https://<yourDomainPrefix>.auth.<region>.amazoncognito.com/saml2/logout
LOGOUT Endpoint
The /logout endpoint only supports HTTPS GET. The user pool client typically makes this request through the system browser.
Logout url should like
https://<YOUR_DOMAIN>.auth.<YOUR_REGION>.amazoncognito.com/logout?
client_id=<YOUR_CLIENT_ID>&logout_uri=<URL_SCHEME>eg.
https://runningman.auth.ap-southeast-2.amazoncognito.com/logout?client_id=xxxx&logout_uri=runningman://?logout8. Go to Attribute Mapping set the SAML attribute, Email is mandatory property in my pool, I have to map at least Email attribute to Cognito, Email SAML attribute can be found in Azure Ad ->Single Sign-on-> User Attributes section ->editing page.
AWS Cognito
Azure AD
Depends on your AD settings, in my case, Email attribute maps to user.userprincipalname, the SAML attribute for Email should be https://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
9. Go to AWS Cognito User Pool-> App Client Setting, Add new client, tick your Identity Providers , set callback URLs and tick OAuth 2.0 settings as below screenshot.
10. Go to AWS Cognito User Pool->Domain Name, set domain prefix, you will need the URL to set AD’s Reply URL
11. Go to AWS Cognito User Pool-> General Settings Page, get Pool Id, You will need this ID to set AD’s identifier.
12. Go to Azure AD ->Your application ->Single Sign-on->Basic SAML Configuration section -> Edit
Set Identifier(Entity Id), format is urn:amazon:cognito:sp:{Your Cognito User Pool Id} (step 9) eg.
urn:amazon:cognito:sp:ap-southeast-2_xxxxxxxxPaste Cognito Domain name (step 10) to Reply URL field. eg.
https://xxxxx.auth.ap-southeast-2.amazoncognito.com/saml2/idpresponse
All set up now!
Test your Integrations
You can get started by using the UI hosted by Amazon Cognito. Open following URL in your web browser:
https://<domain_prefix>.auth.<region>.amazoncognito.com/login?response_type=token&client_id=<app client id>&redirect_uri=<your redirect URI>eg.
https://xxx.auth.ap-southeast-2.amazoncognito.com/login?response_type=token&client_id=1o19iqoh64oqxxxxxxx&redirect_uri=http://localhost:3000response_type can be token or code, i recommend to set to code (code grant), with code grant you can get refresh tokens, but there are further steps required, check out sample code here
Log in with your Azure AD credentials. You should redirected to your callback URL with the access token stored in the id_token parameter.
eg.
http://localhost:3000/#access_token=xxxx&token_type=Bearer&expires_in=3600Reference
Frontend implementation
You can use AWS amplify library. Amplify components fully work with Cognito Hosted UI/OAuth for React, React native.
Reference
To use Cognito Hosted UI/Oauth in React native, you will need to enable deep links for your app and set response_type=code
