Okta SSO Integration
This page teaches you how to integrate Entra ID into Cognito.
Last updated
This page teaches you how to integrate Entra ID into Cognito.
Last updated
This article has been adapted from https://repost.aws/knowledge-center/cognito-okta-saml-identity-provider, which contains some legacy or non-applicable information.
Capture the Congito User Pool ID
In the AWS Console, navigate to the User Pool created by your application. It'll generally look like "CloudStorageSecUserPool-{appid}".
Copy the User Pool ID.
In the User Pool, navigate to Domain and select 'Create Cognito Domain'.
Create the domain of your choice.
In your Okta dashboard, select Applications > Applications
Select 'Create App Integration', and in the menu select 'SAML 2.0'
Create an app name of your choice. Upload an app logo if you would like. Select 'next'.
Configuring SAML:
Here's a chart for the items that must be entered in. After these three values, select 'Next'.
Single sign-on URL
enter ' https://{cognito_domain_prefix}.auth.{your_region}.amazoncognito.com/saml2/idpresponse'. Refer back to the domain created in the 'Create Cognito Domain' step.
https://css_demo.auth.us-west-2.amazoncognito.com/saml2/idpresponse
Audience URI
enter 'urn:amazon:cognito:sp:{userpoolid}
urn:amazon:cognito:sp:us-west-2_abcd123
Attribute statements (optional)
for name enter in 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress' and for value enter in 'user.email'
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
user.email
Provide feedback to Okta if you wish, or just select 'Finish'.
In the 'Assignments' page, select 'Assign' and 'Assign to People'.
Select the user you would like to access this application.
Select 'Done'.
Click the 'Sign On' tab and copy the 'Metada URL' value.
In Cognito:
Select your user pool
Select 'Social and external providers' and select 'Add identity provider'. Select 'SAML'.
Fill out 'Okta' as the provider name, and select 'Enter metadata document endpoint URL'. Paste the Metadata URL we copied from the last step.
Add the identity provider.
Add an Attribute by clicking 'Edit' on the Attribute Mapping box:
Select 'Add another attribute' and enter in the following into the SAML attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress select 'Email' as the User pool attribute. Your form should look like below. Save changes.
In Cognito > App Clients:
Select the 'Login pages' tab and click 'Edit'.
In the 'Managed login pages' section, ensure the Allowed callback URLs and Allowed sign-out URLs are both the Console URL.
Under 'Identity providers', select 'Okta' and 'Cognito user pool'.
Under 'OAuth 2.0 grant types' ensure 'Implicit grant' is selected.
Under 'OpenID Connect scopes' ensure 'Email' and 'OpenID' are selected.
Save changes.
Click on the 'Sign In With Okta' button. This will create a user in Cognito but permissions need to be initiated first.
Log in as a user that has Admin permissions.
Go to Access Management -> Manage Users. There will be a new user created with the the format Okta_{email} in the Manage Users page.
Click the 3 buttons next the Status and choose Change Groups. Select Primary and assign the user to the group.
(Optional) Click the 3 buttons next to the Status and choose 'Change Role'. The user defaults at 'User' permissions and can be adjusted to another role if needed.
Your user is now set up! Log out and click the SSO button. You are now logged in as the SSO user!
