Cognito - Azure AD SAML response

1

Hi, We have **Azure AD as our identity provider **and successfully federated with Cognito user pool. This helps us in authenticating the users registered in Azure AD through Cognito hosted UI. As I understand, during the federation process, Azure AD sends a SAML token to the https://<domain_prefix>.auth.<region>.amazoncognito.com/saml2/idpresponse endpoint for Cognito to issue the id and access tokens.

Can we intercept this SAML response/payload through any of the Cognito lambda triggers or other method?

The need is to exchange this SAML token from Azure AD for an OAuth2 token issued by Azure AD to access other protected web api's in Azure. The Cognito issued tokens(id token, access token) are not acceptable by AzureAD protected web api's for the reasons being issued by a different provider.

They work fine for the AWS resources though which is understandable.

Thanks MJ

mj
asked 2 years ago1024 views
1 Answer
0

Hi,

It is not possible to intercept or access the original SAML response that Azure AD sends to Cognito idpresponse endpoint. This SAML response is validated by Cognito and attributes in the assertion are mapped to cognito attributes as you configured them. Is it possible to send this oauth2 token as an attribute inside the SAML assertion and map it to a custom attribute in Cognito?

AWS
EXPERT
answered 2 years ago
  • Thanks for confirming that the SAML response that Azure AD sends to Cognito idpresponse endpoint cannot be intercepted. Just was looking through the Azure AD SAML attribute mappings but it does not list either the idToken or accessToken that can be mapped as an attribute. We can choose from the attributes like first name, last name and so on individually but cannot have the token itself as an attribute in the SAML mapping. As you mentioned above, in case that was possible, it would be then mapping that as a custom attribute in Cognito

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions