Does cognito support IDP initiated SSO flow?

Hello,

Cognito currently only supports SP (Service Provider) initiated flow [1], meaning Authentication flow starts with Cognito hosted UI. Sign-in request needs to go to Cognito login page first, and then Cognito redirects to the IdP's redirect binding URI with SAMLAuthNRequest and RelayState. AuthNRequest contains the information about the SP requesting the authentication. Once the user is authenticated with the IdP, the authentication response is sent back to Cognito hosted domain "/saml2/idpresponse" endpoint. [2]

Unfortunately, Cognito does not support IdP initiated login flow as of now. However, we do have an existing feature request with our Cognito team to support Idp-initiated flow. I have added your post to the feature request to better prioritize the development. Though we do not have an ETA for the same, AWS is continuously improving its services and you can keep track of AWS latest services and products.

Please be assured that your requirement has been adequately brought to the attention of our service team. If the request is approved, the changes will be posted on https://aws.amazon.com/blogs/aws/ and http://aws.amazon.com/new for all new AWS feature updates.

Additionally, (this may not be relevant to your use case as this pertains to being an identity provider) I do want to highlight that you can use User Pool as an OIDC provider itself via OAuth feature. It would require to configure the user pool OAuth feature to enable its OAuth endpoints then it shall have the following openid-configure URL can be discovered. The details of the supported scopes and response_types can be found from below discovery URL too.

Discovery URL example. https://cognito-idp.<aws_region>.amazonaws.com/<userpool_id>/.well-known/openid-configuration

Please note some OIDC feature are not supported by User Pool yet, eg. nonce (used in implicit grant flow), combined response_type. You may need to check identity Server whether it requires external OIDC providers supporting any specific features.

References:

[1] https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp.html

[2] http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html#5.1.2.SP-Initiated%20SSO:%20%20Redirect/POST%20Bindings|outline

Hello, we are also using Cognito for our application users authentication and want to enable IdP-initiated SSO flow, but keep gettin relayState error message. Could you please advise when you are planning to support IdP-initiated SSO?