Cognito - Azure AD SAML response
Hi, We have **Azure AD as our identity provider **and successfully federated with Cognito user pool. This helps us in authenticating the users registered in Azure AD through Cognito hosted UI. As I understand, during the federation process, Azure AD sends a SAML token to the https://<domain_prefix>.auth.<region>.amazoncognito.com/saml2/idpresponse endpoint for Cognito to issue the id and access tokens.
Can we intercept this SAML response/payload through any of the Cognito lambda triggers or other method?
The need is to exchange this SAML token from Azure AD for an OAuth2 token issued by Azure AD to access other protected web api's in Azure. The Cognito issued tokens(id token, access token) are not acceptable by AzureAD protected web api's for the reasons being issued by a different provider.
They work fine for the AWS resources though which is understandable.
It is not possible to intercept or access the original SAML response that Azure AD sends to Cognito idpresponse endpoint. This SAML response is validated by Cognito and attributes in the assertion are mapped to cognito attributes as you configured them. Is it possible to send this oauth2 token as an attribute inside the SAML assertion and map it to a custom attribute in Cognito?
Thanks for confirming that the SAML response that Azure AD sends to Cognito idpresponse endpoint cannot be intercepted. Just was looking through the Azure AD SAML attribute mappings but it does not list either the idToken or accessToken that can be mapped as an attribute. We can choose from the attributes like first name, last name and so on individually but cannot have the token itself as an attribute in the SAML mapping. As you mentioned above, in case that was possible, it would be then mapping that as a custom attribute in Cognito
Cognito - Azure AD SAML responseasked 4 months ago
Cognito UI does not show error when User Pool is not enabled.asked 7 months ago
How can I use Azure AD credentials for SSH into AWS EC2 Instance?Accepted Answerasked 4 months ago
Cognito does not pass 'login_hint' to Federated SAML Identity Providerasked 4 months ago
Access Control in Secrets Manager for Federated Usersasked 5 months ago
Error while implementing Azure AD as OIDC provider in AWS Cognito - (401 error getting token)Accepted Answerasked 7 months ago
Cognito - Azure AD - Amplify - flow of the SSO auth from application perspectiveAccepted Answerasked 2 years ago
Remove external identity from Cognito userasked 7 days ago
AWS AD Connect Replication permissionsasked 3 years ago