Cognito: Require Federated AD Group to be returned in Access Token


A customer is integrating Cognito with Ping to allow federation with Active Directory. The access token generated by Cognito is then passed to Istio to provide RBAC based on Istio policies to backend Java apps in AWS. These policies are based on the AD Group. When using Ping without Cognito they can take the AD Group (memberOf) that is returned as 'group' in the Ping response authorize the user in Istio and authorization completes successfully. When using Cognito the AD group is not present and they have not been able to find a method to include or inject it as a custom attribute.

Is there a recommended method to allow for AD groups to be forwarded in the Access Token by Cognito? My initial assumption is that there would need to maybe be a mapping to a Cognito Group or an override in the Pre Token Generation Lambda Trigger?

질문됨 3년 전600회 조회
1개 답변
수락된 답변

As of today you can't add custom attributes to Cognito access token. You probably could achieve mapping AD groups to Cognito groups but I wouldn't recommend that, management would probably be unnecessarily complex and potentially error prone. Another way would be to see if customer could use id_token instead. You can map AD attributes to Cognito ones and those are included in id_token.

답변함 3년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠