Cognito Access Tokens and SAML Attributes

We are using OKTA SAML as an iDP along with Cognito as a SP.
We have groups that are assigned to the users, and these attributes are mapped are part of the Okta SAML config.
The issue is the following - on the Cognito side, we get 2 tokens - id_token and access_token.
These groups appear as part of the decoded id_token as "custom:groups": "[Group1, Group2, Everyone, Group3]", - which is what we want.
Is it possible instead of these groups to appear in the id_token, to be on the access_token?
If that is not possible is there a workaround with some other kind of attributes to appear as part of the claims in access_token?
I am asking this because as per best practices - it is not good to have custom logic for Authorization and use the id_token to call API's.
Best Regards

Topics

Security, Identity, & Compliance

Relevant content

SAML Group assertions from IDP to AWS Cognito
rePost-User-4924522
asked 2 years ago
Unable to map AWS SSO Attributes to SAML Assertion values
Accepted Answer
Sandeep
asked 2 years ago
Cognito SAML with multiple external IdPs
Accepted Answer
AWS-User-7347546
asked 5 years ago
Is it possible to map the group as an attribute?
Zeus Arias
asked 2 years ago
How do I set up OneLogin as a SAML identity provider with an Amazon Cognito user pool?
AWS OFFICIALUpdated 8 months ago
How do I set up Okta as a SAML identity provider in an Amazon Cognito user pool?
AWS OFFICIALUpdated 6 months ago
How do I set up Auth0 as a SAML identity provider with an Amazon Cognito user pool?
AWS OFFICIALUpdated 2 years ago
How do I set up AD FS as a SAML identity provider with an Amazon Cognito user pool?
AWS OFFICIALUpdated 3 years ago
AWS Cognito Finally Supports Custom Claims for Access Tokens
EXPERT
Antonio_Lagrotteria
published a month ago
How to Rotate your External IdP Certificates in AWS IAM Identity Center (successor to AWS Single Sign-On) with Zero Downtime
EXPERT
Matt-B
published a year ago