Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

SAML Group assertions from IDP to AWS Cognito

1

I want to integrate Okta as IDP for my AWS Cognito pool. The integration and login works fine. I expected groups coming in SAML response from Okta to be able to map to cognito groups. For this I was trying to do attribute mapping in Cognito user pool, to map SAML attribute with User pool attribute.

Now the problem is User pool attribute does not have "cognito:groups". And the token that Cognito gives back contains "cognito:groups" with <user-pool-region>_<guid>, which is same for everyone logging in using the Identity provider. This in turn does not allow user-group membership synced from Okta to AWS Cognito in Just In Time login flow.

Is there any other way to:

  • Have Okta groups reflected in AWS Cognito token as "cognito:groups" and not as custom claims.
  • Have user get the Okta groups as groups attribute in AWS Cognito so that when performing operations like ListUsersInGroup, I get the users by a group name present in Okta.
Themen
Sicherheit, Identität & Konformität
Tags
Amazon Cognito
Sprache
English
rePost-User-4924522
gefragt vor 2 Jahren1294 Aufrufe
1 Antwort
1

AFAIK there is no way to map directly external groups from an IdP to cognito:groups. But you can use a PreTokenGeneration Lambda function to read the custom claim with groups (typically custom:groups) and convert it into a JWT claim named cognito:groups.

Take a look to this sample, I hope it can help you: https://github.com/aws-samples/amazon-cognito-example-for-external-idp/tree/master/lambda/pretokengeneration

profile pictureAWS
mtind
beantwortet vor 2 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt