I want to use Okta as a OIDC identity provider (IdP) in an Amazon Cognito user pool.
Resolution
Create an Amazon Cognito user pool with an app client and domain name
Complete the following steps:
- Create a user pool.
Note: The standard attribute email is selected by default. For more information, see User pool attributes.
- Create an app client in your user pool.
- Configure a domain for your user pool.
Sign up for an Okta developer account
Note: If you already have an Okta developer account, then sign in.
Complete the following steps:
- On the Okta Developer signup webpage, enter your personal information, and then choose SIGN UP. The Okta Developer Team sends a verification email to the email address that you provided.
- In the verification email, find the sign-in information for your account. Choose ACTIVATE, sign in, and then create your account.
Create an Okta app
Complete the following steps:
- Open the Okta Developer Console. For more information about the console, see Okta's Redesigned Admin Console and Dashboard on the Okta website.
- In the navigation pane, expand Applications, and then choose Applications.
- Choose Create App Integration.
- On the Create a new app integration page, choose OIDC - OpenID Connect.
- Choose Web Application, and then choose Next.
Configure settings for your Okta app
Complete the following steps:
- On the New Web App Integration page, under General Settings, enter a name for your app, for example TestApp.
- Under Grant type, confirm that the Authorization Code check box is selected. Your user pool uses this flow to communicate with Okta OIDC for federated user sign-in.
- For Sign-in redirect URIs, enter https://myUserPoolDomain/oauth2/idpresponse. This is where Okta sends the authentication response and ID token.
Note: Replace myUserPoolDomain with your Amazon Cognito user pool domain. Find the domain in the Amazon Cognito console on the Domain name page for your user pool.
- Under CONFIGURE OPENID CONNECT, for Login redirect URIs, enter https://myUserPoolDomain/oauth2/idpresponse.
Note: Replace myUserPoolDomain with your Amazon Cognito user pool domain.
- For Controlled access, choose your preferred access setting, and then choose Save.
- For Client Credentials, note the Client ID and Client secret to configure Okta in your Amazon Cognito user pool.
- Choose Sign On.
- On the Sign On page, under OpenID Connect ID Token, note the Issuer URL to configure Okta in your user pool.
Add an OIDC IdP in your user pool
Complete the following steps:
- Open the Amazon Cognito console.
- Choose Manage user pools, and then select your user pool.
- In the navigation pane, under Federation, choose Identity providers.
- Choose OpenID Connect. Complete the following fields:
For Provider name, enter a name for the IdP that appears in the Amazon Cognito hosted web UI.
Note: After you create the IdP, you can't change this field.
For Client ID, enter the Client ID.
For Client secret (optional), enter the Client secret.
For Attributes request method, keep the setting as GET.
For Authorize scope, enter the OIDC scope values that you want to authorize, separated by spaces. For more information, see Scope values on the OpenID website.
Important: The openid scope is required for OIDC IdPs. You can add other scopes according to your user pool configuration. For example, if you keep email as a required attribute to create your user pool, then enter email openid to include both scopes. Then, map the email attribute to your user pool.
For Issuer, enter the Issuer URL.
For Identifiers (optional), enter a custom string to use in the endpoint URL in place of your OIDC IdP's name.
- Choose Run discovery to get the OIDC configuration endpoints for Okta.
- Choose Create provider.
For more information, see Add an OIDC IdP to your user pool.
Change app client settings for your user pool
Complete the following steps:
- Open the Amazon Cognito console.
- Choose Manage user pools, and then select your user pool.
- In the navigation pane, under App integration, choose App client settings.
- On the App client page, take the following actions:
Under Enabled Identity Providers, select the OIDC provider for your IdP.
(Optional) Select Cognito User Pool.
For Callback URL(s), enter a URL where you want to redirect your users after they log in. To test, enter any valid URL, such as https://example.com/.
For Sign out URL(s), enter a URL where you want to redirect your users after they log out. To test, enter any valid URL, such as https://example.com/.
Under Allowed OAuth Flows, select the flows that correspond to the grant types that you want your application to receive after authentication from Amazon Cognito.
Note: The allowed OAuth flows help you to determine the values (code or token) that you can use for the response_type parameter in your endpoint URL.
Under Allowed OAuth Scopes, select at least email and openid.
- Choose Save changes.
For more information, see App clients terms.
Map the email attribute to a user pool attribute
If you authorized the email OIDC scope value, then map it to a user pool attribute.
Complete the following steps:
- Open the Amazon Cognito console.
- Choose Manage user pools, and then select your user pool.
- In the navigation pane, under Federation, choose Attribute mapping.
- On the Attribute mapping page, choose the OIDC tab.
- If you have more than one OIDC provider in your user pool, then choose your new provider from the dropdown list.
- Confirm that the OIDC attribute sub is mapped to the user pool attribute Username.
- Choose Add OIDC attribute, and then take the following actions:
For OIDC attribute, enter email.
For User pool attribute, choose Email.
For more information, see Specifying identity provider attribute mappings for your user pool.
Log in to test your setup
Use the Amazon Cognito hosted web UI to authenticate with Okta. After you log in, you're redirected to your app client's callback URL. The authorization code or user pool tokens appear in the URL in your web browser's address bar.
For more information, see Setting up and using the Amazon Cognito hosted UI and federation endpoints.
Related information
Adding user pool sign-in through a third party
Using OIDC identity providers with a user pool
Using tokens with user pools
OIDC user pool IdP authentication flow
How do I set up Okta as a SAML identity provider in an Amazon Cognito user pool?