# Okta SSO Integration The below video covers setting up Okta SSO with your Cognito User Pool: {% embed url="" %} You can also follow the information and steps below: This article has been adapted from , which contains some legacy or non-applicable information. ### Set up Cognito 1. Capture the Congito User Pool ID In the AWS Console, navigate to the User Pool created by your application. It'll generally look like "CloudStorageSecUserPool-{appid}". Copy the User Pool ID.

2. In the User Pool, navigate to Domain and select 'Create Cognito Domain'.

Create the domain of your choice.

### Create a SAML app in Okta 1. In your Okta dashboard, select Applications > Applications

2. Select 'Create App Integration', and in the menu select 'SAML 2.0' 3. Create an app name of your choice. Upload an app logo if you would like. Select 'next'. 4. Configuring SAML: Here's a chart for the items that must be entered in. After these three values, select 'Next'. | Key | Value | Example | | ------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------- | | Single sign-on URL | enter ' https\://{cognito\_domain\_prefix}.auth.{your\_region}.amazoncognito.com/saml2/idpresponse'. Refer back to the domain created in the 'Create Cognito Domain' step. | | | Audience URI | enter 'urn:amazon:cognito:sp:{userpoolid} | urn:amazon:cognito:sp:us-west-2\_abcd123 | | Attribute statements (optional) | for name enter in '' and for value enter in 'user.email' |

user.email

5. Provide feedback to Okta if you wish, or just select 'Finish'. ### Assign a user in Okta 1. In the 'Assignments' page, select 'Assign' and 'Assign to People'.

2. Select the user you would like to access this application. 3. Select 'Done'. ### Capture Okta IdP metadata 1. Click the 'Sign On' tab and copy the 'Metada URL' value.

### Set up Okta in Cognito In Cognito: 1. Select your user pool 2. Select 'Social and external providers' and select 'Add identity provider'. Select 'SAML'. 3. Fill out 'Okta' as the provider name, and select 'Enter metadata document endpoint URL'. Paste the Metadata URL we copied from the last step.

4. Add the identity provider. 5. Add an Attribute by clicking 'Edit' on the Attribute Mapping box:

6. Select 'Add another attribute' and enter in the following into the SAML attribute: select 'Email' as the User pool attribute.\ \ Your form should look like below. Save changes.

### Configure Cognito App Client In Cognito > App Clients: 1. Select the 'Login pages' tab and click 'Edit'.

2. In the 'Managed login pages' section, ensure the Allowed callback URLs and Allowed sign-out URLs are both the Console URL. 3. Under 'Identity providers', select 'Okta' and 'Cognito user pool'. 4. Under 'OAuth 2.0 grant types' ensure 'Implicit grant' is selected. 5. Under 'OpenID Connect scopes' ensure 'Email' and 'OpenID' are selected. 6. Save changes. ### CSS Console: Set Up User 1. Click on the 'Sign In With Okta' button. This will create a user in Cognito but permissions need to be initiated first. 2. Log in as a user that has Admin permissions. 3. Go to Access Management -> Manage Users. There will be a new user created with the the format Okta\_{email} in the Manage Users page. 4. Click the 3 buttons next the Status and choose Change Groups. Select Primary and assign the user to the group.

5. Enable the user by clicking the button with 3 dots on the rightmost column and selecting 'Enable User'. 6. (Optional) Click the 3 buttons next to the Status and choose 'Change Role'. The user defaults at 'User' permissions and can be adjusted to another role if needed. Your user is now set up! Log out and click the SSO button. You are now logged in as the SSO user!