Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Bug Report: Cognito Managed Login UI missing parameters in Sign Up page for OIDC/SAML providers

0

The Identity Providers of my Cognito user pool are user pool directory, Google and OIDC/SAML connections. I am using Cognito's Managed Login UI for user login. All types of login work as expected, hence the OIDC/SAML connections are properly configured.
However, users attempting to sign up with their corporate email (OIDC/SAML) from the Sign Up page, after clicking Create account on the Sign In page, encounter a "Something went wrong" error. Sign in from the Sign In page functions correctly.
I have compared the <domain>/login/oidc API calls (called after clicking the sign-in button) on both cases and found that the failing call from the Sign Up page is missing essential parameters like client_id and redirect_uri, which are present in the successful call from the Sign In page.

Many thanks,
Danny

Topics
Security, Identity, & Compliance
Tags
Amazon Cognito Federated IdentitiesAmazon CognitoAmazon Cognito User Pools
Language
English
asked a year ago257 views
1 Answer
1

This issue appears to be related to how the Cognito Managed Login UI handles sign-up attempts with federated identity providers (IdPs).

The "Something went wrong" error you're encountering when users try to sign up with their corporate email (OIDC/SAML) from the Sign Up page is likely due to the missing parameters in the API call. As you correctly identified, essential parameters like client_id and redirect_uri are missing when the request is initiated from the Sign Up page, while they are present when initiated from the Sign In page.

This behavior is consistent with how Cognito's Managed Login UI is designed to work. The Managed Login UI is primarily set up to handle federated authentication through the Sign In page, not the Sign Up page. When users with corporate emails attempt to sign up, the system should ideally recognize these domains and direct them to sign in with their federated provider instead of creating a new account.

For federated users (OIDC/SAML), the proper flow is to sign in directly through the Sign In page where they can select their identity provider. The Sign Up page is intended for users who will create local accounts within the Cognito user pool directory, not for federated authentication.

To address this issue:

  1. Make sure your app client configuration has the correct identity providers selected in the Managed Login pages configuration.

  2. Consider customizing your application's user experience to guide users with corporate emails directly to the Sign In page rather than the Sign Up page.

  3. If you need more control over error messages or the authentication flow, you might need to implement a custom authentication UI instead of using the Managed Login UI, as the Managed Login UI has limited customization options for error handling.

This appears to be a limitation of the current implementation of Cognito's Managed Login UI rather than a misconfiguration on your part.
Sources
Cognito Managed Login - No button on login page for external IDP | AWS re:Post
Displaying error message in Cognito managed login sign-in page | AWS re:Post
OIDC user pool IdP authentication flow - Amazon Cognito
Decoding the 'Missing required parameter client_id' Error in AWS Cognito | AWS re:Post

answered a year ago
EXPERT
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content