I want to integrate Okta as IDP for my AWS Cognito pool. The integration and login works fine. I expected groups coming in SAML response from Okta to be able to map to cognito groups. For this I was trying to do attribute mapping in Cognito user pool, to map SAML attribute with User pool attribute.
Now the problem is User pool attribute does not have "cognito:groups". And the token that Cognito gives back contains "cognito:groups" with <user-pool-region>_<guid>, which is same for everyone logging in using the Identity provider. This in turn does not allow user-group membership synced from Okta to AWS Cognito in Just In Time login flow.
Is there any other way to:
- Have Okta groups reflected in AWS Cognito token as "cognito:groups" and not as custom claims.
- Have user get the Okta groups as groups attribute in AWS Cognito so that when performing operations like ListUsersInGroup, I get the users by a group name present in Okta.