DEV Community

Mubbashir Mustafa
Mubbashir Mustafa

Posted on • Updated on

Integrate Azure Active Directory (AD) with AWS Cognito User Pool

Earlier I wrote about how you can integrate AWS Cognito into your React App. In this post, I am going to write down the steps that are needed to use Azure Active Directory (AD) with AWS Cognito as a Federated Identity Provider.

I am assuming you already have setup AWS Cognito User Pool (if not then read this first) and your Azure Acccount.

1. Create An Enterprise Application

Log in to the Azure Portal and select "Azure Active Directory" from the homepage
Alt Text

From the left side, select "Enterprise applications"
Alt Text

Click "+ New application"
Alt Text

Select "Amazon Web Services (AWS)"
Alt Text

Select "Amazon Web Services (AWS)" again, give any name you would like, click "Create"
Alt Text

Once your application has been created, select "Users and groups"
Alt Text

Click "+ Add user"
Alt Text

Select user/group you want to give access to and click "Select"
Alt Text

After selecting users/groups, click "Assign"
Alt Text

ℹ️ Notes: You can’t add users/groups in your active directory from here, rather this step is to give access to your existing active directory users to the application

2. Setup Single Sign On (SSO)

From the application overview page select "2. Set up single sign on"
Alt Text

Select "SAML"
Alt Text

Select "Yes" from the popup (or "No", it really doesn't matter - we will be changing the values eventually)
Alt Text

Before proceeding further, we need to set up "Amazon Cognito domain". To do that, go to your AWS Cognito User Pool and from the left sidebar select "Domain name"
Alt Text

Enter any name you would like to use and click "Save changes" (you may want to check its availability first)
Alt Text

Once the domain name has been set-up. It's time to update SAML configuration from the Azure Active Directory. To do that, click "Edit" from the "Basic SAML Configuration" section
Alt Text

Add "Identifier (Entity ID)" and "Reply URL (Assertion Consumer Service URL)", make them default, delete the old values and click "Save"
Alt Text

Where:

Identifier (Entity ID): urn:amazon:cognito:sp:<user_pool_id>

Reply URL (Assertion Consumer Service URL): <domain_name_with_full_url_from_the_previous_name>

You can get the user pool id from the "General settings" tab in the AWS Cognito User Pool
Alt Text

Once done, download the "Federation Metadata XML" from the "SAML Signing Certificate" section
Alt Text

3. Add Azure Active Directory as a Federated Identity Provider

While being at the AWS Cognito User pool:

  • Go to "Identity providers"
  • Select "SAML"
  • Upload the XML from the previous step
  • Give it any name (without spaces)
  • Give some description as "Identifiers" (optional)
  • Click "Create provider" Alt Text

After adding Azure Active Directory as Federated Identity Provider (using SAML), you now need to integrate that provider with your app client:

  • Go to "App client settings"
  • Check the box against your provider name (in my case AzureAD)
  • Enter Callback URL(s) - a comma-separated list of URLs to redirect to after login attempt (should be https except for the localhost)
  • Enter Sign out URL(s) - this is optional
  • Select "Authorization code grant" as the flow type
  • Select "phone, email, openid" as "Allowed OAuth Scopes" Alt Text

Read more about the Authorization Flows and Scopes

4. Attribute mapping and claims

This is the most confusing but important part of the whole setup. Essentially, you need to map all the attributes that are required in your user pool with your Active Directory.
In my case the only required attribute is "email", to map it:

  • Select "Attribute Mapping" from the bottom left
  • Click "Add SAML attribute"
  • Enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email as "SAML attribute", select Email as "User pool attribute" and make sure the capture box is checked
  • Click "Save changes" Alt Text

ℹ️ Notes: Technically you are just mapping the fields from Azure Active Directory with AWS Cognito User Pool's attributes. You can add as many claims as you want and use any name (and namespace) you want. To explain it better I am going to map a claim:

From the Active Directory, select "Edit" under "User Attributes & Claims" section
Alt Text

Click "+ Add new claim"
Alt Text

Give any name, enter anything you like in the namespace, select attribute (or select transformation if you want to transform some field - for example, you want to concatenate first and last name of the Azure Active Directory user) and click "Save"
Alt Text

Now map this newly created claim in User Pool to any attribute you want
Alt Text

5. Take a test drive

If you don't have any app to handle the callback, you can clone this simple express server to check the auth response (fail/success)

AWS Cognito provides you a hosted UI using which your users can log in to your app using their Azure Active Directory user account
Alt Text

Click "AzureAD"
Alt Text

It will take you to Sign in page
Alt Text

If successful then it will return you the authorization code, which you need to send to TOKEN endpoint and get the access token
Alt Text

It will also create an entry inside the "Users and group" in the Cognito User Pool
Alt Text

The field/attribute I mapped
Alt Text

Further Reading:

Top comments (7)

Collapse
 
mik3fly profile image
mik3fly

Hello
the link for github.com/mubbashir10/dev-express... is broken, could you provide a new one please?

Collapse
 
mubbashir10 profile image
Mubbashir Mustafa

Hello, the link has been updated. github.com/mubbashir10/express_server (It's pretty simple server to see what we get as a response)

Collapse
 
edermontoyav profile image
EderMontoya

Hello, is there a property or claim in schemas to get the profile picture mapped?

Collapse
 
arjun19352523 profile image
Arjun

Hello, the link for github.com/mubbashir10/dev-express... is broken can you please provide any other link?

Collapse
 
mubbashir10 profile image
Mubbashir Mustafa

Hello, the link has been updated. github.com/mubbashir10/express_server (It's pretty simple server to see what we get as a response)

Some comments may only be visible to logged-in visitors. Sign in to view all comments.