Earlier I wrote about how you can integrate AWS Cognito into your React App. In this post, I am going to write down the steps that are needed to use Azure Active Directory (AD) with AWS Cognito as a Federated Identity Provider.
I am assuming you already have setup AWS Cognito User Pool (if not then read this first) and your Azure Acccount.
1. Create An Enterprise Application
Log in to the Azure Portal and select "Azure Active Directory" from the homepage
From the left side, select "Enterprise applications"
Select "Amazon Web Services (AWS)"
Select "Amazon Web Services (AWS)" again, give any name you would like, click "Create"
Once your application has been created, select "Users and groups"
Select user/group you want to give access to and click "Select"
After selecting users/groups, click "Assign"
ℹ️ Notes: You can’t add users/groups in your active directory from here, rather this step is to give access to your existing active directory users to the application
2. Setup Single Sign On (SSO)
From the application overview page select "2. Set up single sign on"
Select "Yes" from the popup (or "No", it really doesn't matter - we will be changing the values eventually)
Before proceeding further, we need to set up "Amazon Cognito domain". To do that, go to your AWS Cognito User Pool and from the left sidebar select "Domain name"
Enter any name you would like to use and click "Save changes" (you may want to check its availability first)
Once the domain name has been set-up. It's time to update SAML configuration from the Azure Active Directory. To do that, click "Edit" from the "Basic SAML Configuration" section
Add "Identifier (Entity ID)" and "Reply URL (Assertion Consumer Service URL)", make them default, delete the old values and click "Save"
Where:
Identifier (Entity ID): urn:amazon:cognito:sp:<user_pool_id>
Reply URL (Assertion Consumer Service URL): <domain_name_with_full_url_from_the_previous_name>
You can get the user pool id from the "General settings" tab in the AWS Cognito User Pool
Once done, download the "Federation Metadata XML" from the "SAML Signing Certificate" section
3. Add Azure Active Directory as a Federated Identity Provider
While being at the AWS Cognito User pool:
- Go to "Identity providers"
- Select "SAML"
- Upload the XML from the previous step
- Give it any name (without spaces)
- Give some description as "Identifiers" (optional)
- Click "Create provider"
After adding Azure Active Directory as Federated Identity Provider (using SAML), you now need to integrate that provider with your app client:
- Go to "App client settings"
- Check the box against your provider name (in my case AzureAD)
- Enter Callback URL(s) - a comma-separated list of URLs to redirect to after login attempt (should be https except for the localhost)
- Enter Sign out URL(s) - this is optional
- Select "Authorization code grant" as the flow type
- Select "phone, email, openid" as "Allowed OAuth Scopes"
Read more about the Authorization Flows and Scopes
4. Attribute mapping and claims
This is the most confusing but important part of the whole setup. Essentially, you need to map all the attributes that are required in your user pool with your Active Directory.
In my case the only required attribute is "email", to map it:
- Select "Attribute Mapping" from the bottom left
- Click "Add SAML attribute"
- Enter
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email
as "SAML attribute", selectEmail
as "User pool attribute" and make sure the capture box is checked - Click "Save changes"
ℹ️ Notes: Technically you are just mapping the fields from Azure Active Directory with AWS Cognito User Pool's attributes. You can add as many claims as you want and use any name (and namespace) you want. To explain it better I am going to map a claim:
From the Active Directory, select "Edit" under "User Attributes & Claims" section
Give any name, enter anything you like in the namespace, select attribute (or select transformation if you want to transform some field - for example, you want to concatenate first and last name of the Azure Active Directory user) and click "Save"
Now map this newly created claim in User Pool to any attribute you want
5. Take a test drive
If you don't have any app to handle the callback, you can clone this simple express server to check the auth response (fail/success)
AWS Cognito provides you a hosted UI using which your users can log in to your app using their Azure Active Directory user account
It will take you to Sign in page
If successful then it will return you the authorization code, which you need to send to TOKEN endpoint and get the access token
It will also create an entry inside the "Users and group" in the Cognito User Pool
Further Reading:
Top comments (7)
Hello
the link for github.com/mubbashir10/dev-express... is broken, could you provide a new one please?
Hello, the link has been updated. github.com/mubbashir10/express_server (It's pretty simple server to see what we get as a response)
Hello, is there a property or claim in schemas to get the profile picture mapped?
Hello, the link for github.com/mubbashir10/dev-express... is broken can you please provide any other link?
Hello, the link has been updated. github.com/mubbashir10/express_server (It's pretty simple server to see what we get as a response)
Some comments may only be visible to logged-in visitors. Sign in to view all comments.