Hi,
We have **Azure AD as our identity provider **and successfully federated with Cognito user pool. This helps us in authenticating the users registered in Azure AD through Cognito hosted UI.
As I understand, during the federation process, Azure AD sends a SAML token to the https://<domain_prefix>.auth.<region>.amazoncognito.com/saml2/idpresponse endpoint for Cognito to issue the id and access tokens.
Can we intercept this SAML response/payload through any of the Cognito lambda triggers or other method?
The need is to exchange this SAML token from Azure AD for an OAuth2 token issued by Azure AD to access other protected web api's in Azure.
The Cognito issued tokens(id token, access token) are not acceptable by AzureAD protected web api's for the reasons being issued by a different provider.
They work fine for the AWS resources though which is understandable.
Thanks
MJ
Thanks for confirming that the SAML response that Azure AD sends to Cognito idpresponse endpoint cannot be intercepted. Just was looking through the Azure AD SAML attribute mappings but it does not list either the idToken or accessToken that can be mapped as an attribute. We can choose from the attributes like first name, last name and so on individually but cannot have the token itself as an attribute in the SAML mapping. As you mentioned above, in case that was possible, it would be then mapping that as a custom attribute in Cognito