Cloud Storage Security Help Docs
Release Notes
  • Introduction
  • Getting Started
    • How to Subscribe
      • Pay-As-You-Go (PAYG)
      • Bring Your Own License/GovCloud (BYOL)
      • AWS Transfer Family
    • How to Deploy
      • Steps to Deploy
      • Advanced Deployment Considerations
      • AWS Transfer Family
    • How to Configure
  • Console Overview
    • Dashboard
    • Malware Scanning
      • AWS
        • Buckets
        • Amazon EBS Volumes
        • Amazon EFS Volumes
        • Amazon FSx Volumes
        • WorkDocs Connections
      • Azure
        • Blob Containers
      • GCP
        • GCP Buckets
    • See What's Infected
      • Findings
      • Malware History
      • Results
    • Schedules
    • Monitoring
      • Error Logs
      • Bucket Settings
      • Deployment
      • Jobs
      • Notifications
      • Storage Assessment
      • Usage
    • Configuration
      • Classification Rule Sets
      • Classification Custom Rules
      • Scan Settings
      • Console Settings
      • AWS Integrations
      • Job Networking
      • API Agent Settings
      • Proactive Notifications
      • License Management
      • Event Agent Settings
    • Access Management
      • Manage Users
      • Manage Accounts
        • Linking an AWS Account
        • Linking an Azure Account
        • Linking a GCP Account
      • Manage Groups
    • Support
      • Getting Started
      • Stay Connected
      • Contact Us
      • Documentation
  • Product Updates
  • How It Works
    • Scanning Overview
      • Event Driven Scanning for New Files
      • Retro Scanning for Pre-Existing Files
      • API Driven Scanning
    • Architecture Overview
    • Deployment Details
    • Sizing Discussion
    • Integrations
      • AWS Security Hub
      • AWS CloudTrail Lake
      • AWS Transfer Family
      • Amazon GuardDuty
      • Amazon Bedrock
    • Demo Videos
    • Scanning APIs
    • SSO Integrations
      • Entra ID SSO Integration
      • Okta SSO Integration
  • Frequently Asked Questions
    • Getting Started
    • Product Functionality
    • Architecture Related
    • Supported File Types
  • Troubleshooting
    • CloudFormation Stack failures
    • Cross-Region Scanning on with private network
    • API Scanning: Could not connect to SSL/TLS (v7)
    • Password not received after deployment
    • Conflicted buckets
    • Modifying scaling info post-deployment
    • Objects show unscannable with access denied
    • Remote account objects not scanning
    • My scanning agents keep starting up and immediately shutting down
    • I cannot access the management console
    • Linked Account Out of Date
    • Rebooting the Management Console
    • Error when upgrading to the latest major version
    • I Cannot Create/Delete an API Agent
  • Release Notes
    • Latest (v8)
    • v7
    • v6 and older
  • Contact Us & Support
  • Data Processing Agreement
  • Privacy Policy
Powered by GitBook
On this page
  • Set up Cognito
  • Create a SAML app in Okta
  • Assign a user in Okta
  • Capture Okta IdP metadata
  • Set up Okta in Cognito
  • Configure Cognito App Client
  • CSS Console: Set Up User
  1. How It Works
  2. SSO Integrations

Okta SSO Integration

This page teaches you how to integrate Okta into your Amazon Cognito User Pool.

PreviousEntra ID SSO IntegrationNextFrequently Asked Questions

Last updated 1 month ago

The below video covers setting up Okta SSO with your Cognito User Pool:

You can also follow the information and steps below:

This article has been adapted from , which contains some legacy or non-applicable information.

Set up Cognito

  1. Capture the Congito User Pool ID

In the AWS Console, navigate to the User Pool created by your application. It'll generally look like "CloudStorageSecUserPool-{appid}".

Copy the User Pool ID.

  1. In the User Pool, navigate to Domain and select 'Create Cognito Domain'.

Create the domain of your choice.

Create a SAML app in Okta

  1. In your Okta dashboard, select Applications > Applications

  1. Select 'Create App Integration', and in the menu select 'SAML 2.0'

  2. Create an app name of your choice. Upload an app logo if you would like. Select 'next'.

  3. Configuring SAML:

Here's a chart for the items that must be entered in. After these three values, select 'Next'.

Key
Value
Example

Single sign-on URL

enter ' https://{cognito_domain_prefix}.auth.{your_region}.amazoncognito.com/saml2/idpresponse'. Refer back to the domain created in the 'Create Cognito Domain' step.

https://css_demo.auth.us-west-2.amazoncognito.com/saml2/idpresponse

Audience URI

enter 'urn:amazon:cognito:sp:{userpoolid}

urn:amazon:cognito:sp:us-west-2_abcd123

Attribute statements (optional)

for name enter in 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress' and for value enter in 'user.email'

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

user.email

  1. Provide feedback to Okta if you wish, or just select 'Finish'.

Assign a user in Okta

  1. In the 'Assignments' page, select 'Assign' and 'Assign to People'.

  1. Select the user you would like to access this application.

  2. Select 'Done'.

Capture Okta IdP metadata

  1. Click the 'Sign On' tab and copy the 'Metada URL' value.

Set up Okta in Cognito

In Cognito:

  1. Select your user pool

  2. Select 'Social and external providers' and select 'Add identity provider'. Select 'SAML'.

  3. Fill out 'Okta' as the provider name, and select 'Enter metadata document endpoint URL'. Paste the Metadata URL we copied from the last step.

  1. Add the identity provider.

  2. Add an Attribute by clicking 'Edit' on the Attribute Mapping box:

  1. Select 'Add another attribute' and enter in the following into the SAML attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress select 'Email' as the User pool attribute. Your form should look like below. Save changes.

Configure Cognito App Client

In Cognito > App Clients:

  1. Select the 'Login pages' tab and click 'Edit'.

  1. In the 'Managed login pages' section, ensure the Allowed callback URLs and Allowed sign-out URLs are both the Console URL.

  2. Under 'Identity providers', select 'Okta' and 'Cognito user pool'.

  3. Under 'OAuth 2.0 grant types' ensure 'Implicit grant' is selected.

  4. Under 'OpenID Connect scopes' ensure 'Email' and 'OpenID' are selected.

  5. Save changes.

CSS Console: Set Up User

  1. Click on the 'Sign In With Okta' button. This will create a user in Cognito but permissions need to be initiated first.

  2. Log in as a user that has Admin permissions.

  3. Go to Access Management -> Manage Users. There will be a new user created with the the format Okta_{email} in the Manage Users page.

  4. Click the 3 buttons next the Status and choose Change Groups. Select Primary and assign the user to the group.

  1. Enable the user by clicking the button with 3 dots on the rightmost column and selecting 'Enable User'.

  2. (Optional) Click the 3 buttons next to the Status and choose 'Change Role'. The user defaults at 'User' permissions and can be adjusted to another role if needed.

Your user is now set up! Log out and click the SSO button. You are now logged in as the SSO user!

https://repost.aws/knowledge-center/cognito-okta-saml-identity-provider
Cognito User Pool Overview