Entra ID SSO Integration

Create the Cognito Domain

1. Capture the Congito User Pool ID

In the AWS Console, navigate to the User Pool created by your application. It'll generally look like "CloudStorageSecUserPool-{appid}".

Copy the User Pool ID.

1. Create a Cognito Domain

In the User Pool, navigate to Domain and select 'Create Cognito Domain'.

Create the domain of your choice.

Azure: Create SSO App

1. Create a New Application

Navigate to Microsoft Entra ID in your Azure console and select 'Enterprise Applications'. Select 'New Application'.

Select 'Create your own application' and enter in a name of your choice.

1. Set up SSO for your application

After this application is created, select 'Set up single sign on'.

Select SAML and select 'edit' on the Basic SAML Configuration, entering in the following:

• Identifier (Entity ID) as 'urn:amazon:cognito:sp:' plus your Cognito user pool ID that you copied earlier

• Reply URL (Assertion Consumer Service URL) as your Cognito domain name that you created earlier (it should end in ...auth.{region}.amazoncognito.com)

Save this configuration.

In the 'SAML Certificates' box, copy the 'App Federation Metadata URL'.

AWS: Add Identity Provider

In the AWS Console:

Navigate back to your Cognito User Pool and select 'Social and external providers'.

Select 'Add Identity Provider'

Select 'SAML' and enter in a provider name. Do not add spaces.

Select 'Enter metadata document endpoint URL' and paste in the App Federation Metadata URL that you copied from Azure.

Add the identity provider.

In Cognito, navigate to App Clients -> {your user pool} and select 'Login pages'.

Select the 'Edit' button and enter in the following:

• Allowed callback URLs: CSS Console URL

• Allowed sign-out URLs: CSS Console URL

• Identity Providers: Identity Provider you just created

• Oauth 2.0 grant types: 'Authorization code grant', 'implicit grant'

• OpenID Connect scopes: 'OpenID, 'Email'

Select 'Save changes'.

Azure: Add user to Entra ID

In the Azure console:

Navigate back to your Enterprise Application and select 'Users and groups'.

Select 'Add user/group'.

Select 'None Selected' and choose your Azure user.

After selecting the user, click 'Assign'.

CSS Console: Verify Changes

In the CSS Console:

View the sign-in page and note that your Azure-created application now appears.

CSS Console: Set Up User

1. Click on the 'Sign In With {sso}' button. This will create a user in Cognito but permissions need to be initiated first.

2. Log in as a user that has Admin permissions.

3. Go to Access Management -> Manage Users. There will be a new user created with the the format {provider_name}_{entra_user_email} in the Manage Users page.

4. Click the 3 buttons next the Status and choose Groups. Select Primary and assign the user to the group.

1. Enable the user by clicking the button with 3 dots on the rightmost column and selecting 'Enable User'.

2. (Optional) Click the 3 buttons next to the Status and choose 'Change Role'. The user defaults at 'User' permissions and can be adjusted to another role if needed.

Your user is now set up! Log out and click the SSO button. You are now logged in as the SSO user!