Cognito - Azure AD SAML response
Hi, We have **Azure AD as our identity provider **and successfully federated with Cognito user pool. This helps us in authenticating the users registered in Azure AD through Cognito hosted UI. As I understand, during the federation process, Azure AD sends a SAML token to the https://<domain_prefix>.auth.<region>.amazoncognito.com/saml2/idpresponse endpoint for Cognito to issue the id and access tokens.
Can we intercept this SAML response/payload through any of the Cognito lambda triggers or other method?
The need is to exchange this SAML token from Azure AD for an OAuth2 token issued by Azure AD to access other protected web api's in Azure. The Cognito issued tokens(id token, access token) are not acceptable by AzureAD protected web api's for the reasons being issued by a different provider.
They work fine for the AWS resources though which is understandable.
Thanks MJ
Hi,
It is not possible to intercept or access the original SAML response that Azure AD sends to Cognito idpresponse endpoint. This SAML response is validated by Cognito and attributes in the assertion are mapped to cognito attributes as you configured them. Is it possible to send this oauth2 token as an attribute inside the SAML assertion and map it to a custom attribute in Cognito?
Relevant questions
Cognito - Azure AD SAML response
asked 4 months agoCognito UI does not show error when User Pool is not enabled.
asked 7 months agoHow can I use Azure AD credentials for SSH into AWS EC2 Instance?
Accepted Answerasked 4 months agoCognito Login With Amazon "Token is not from a supported provider of this identity pool." error using JavaScript LWA
asked 20 days agoCognito does not pass 'login_hint' to Federated SAML Identity Provider
asked 4 months agoAccess Control in Secrets Manager for Federated Users
asked 5 months agoError while implementing Azure AD as OIDC provider in AWS Cognito - (401 error getting token)
Accepted Answerasked 7 months agoCognito - Azure AD - Amplify - flow of the SSO auth from application perspective
Accepted Answerasked 2 years agoRemove external identity from Cognito user
asked 7 days agoAWS AD Connect Replication permissions
asked 3 years ago
Thanks for confirming that the SAML response that Azure AD sends to Cognito idpresponse endpoint cannot be intercepted. Just was looking through the Azure AD SAML attribute mappings but it does not list either the idToken or accessToken that can be mapped as an attribute. We can choose from the attributes like first name, last name and so on individually but cannot have the token itself as an attribute in the SAML mapping. As you mentioned above, in case that was possible, it would be then mapping that as a custom attribute in Cognito