Cognito - Azure AD SAML response

Question

Hi, 
We have **Azure AD as our identity provider **and *successfully federated* with Cognito user pool. This helps us in authenticating the users registered in Azure AD through Cognito hosted UI. 
As I understand, during the federation process, Azure AD sends a SAML token to the https://.auth..amazoncognito.com/saml2/idpresponse endpoint for Cognito to issue the id and access tokens.

*Can we intercept this SAML response/payload through any of the Cognito lambda triggers* or other method?

**The need is to exchange this SAML token from Azure AD for an OAuth2 token issued by Azure AD to access other protected web api's in Azure.**
The Cognito issued tokens(id token, access token) are not acceptable by AzureAD protected web api's for the reasons being issued by a different provider.

They work fine for the AWS resources though which is understandable.

Thanks
MJ

Answer

Hi,

It is not possible to intercept or access the original SAML response that Azure AD sends to Cognito idpresponse endpoint. This SAML response is validated by Cognito and attributes in the assertion are mapped to cognito attributes as you configured them. Is it possible to send this oauth2 token as an attribute inside the SAML assertion and map it to a custom attribute in Cognito?

Cognito - Azure AD SAML response

관련 콘텐츠