SAML Group assertions from IDP to AWS Cognito

Question

I want to integrate Okta as IDP for my AWS Cognito pool. The integration and login works fine. I expected groups coming in SAML response from Okta to be able to map to cognito groups. For this I was trying to do attribute mapping in Cognito user pool, to map SAML attribute with User pool attribute.

Now the problem is User pool attribute does not have "cognito:groups". And the token that Cognito gives back contains "cognito:groups" with _, which is same for everyone logging in using the Identity provider. This in turn does not allow user-group membership synced from Okta to AWS Cognito in Just In Time login flow.

Is there any other way to:
- Have Okta groups reflected in AWS Cognito token as "cognito:groups" and not as custom claims.
- Have user get the Okta groups as groups attribute in AWS Cognito so that when performing operations like ListUsersInGroup, I get the users by a group name present in Okta.

Answer

AFAIK there is no way to map directly external groups from an IdP to cognito:groups. But you can use a PreTokenGeneration Lambda function to read the custom claim with groups (typically custom:groups) and convert it into a JWT claim named cognito:groups.

Take a look to this sample, I hope it can help you: https://github.com/aws-samples/amazon-cognito-example-for-external-idp/tree/master/lambda/pretokengeneration

SAML Group assertions from IDP to AWS Cognito

관련 콘텐츠