By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

SAML Group assertions from IDP to AWS Cognito

1

I want to integrate Okta as IDP for my AWS Cognito pool. The integration and login works fine. I expected groups coming in SAML response from Okta to be able to map to cognito groups. For this I was trying to do attribute mapping in Cognito user pool, to map SAML attribute with User pool attribute.

Now the problem is User pool attribute does not have "cognito:groups". And the token that Cognito gives back contains "cognito:groups" with <user-pool-region>_<guid>, which is same for everyone logging in using the Identity provider. This in turn does not allow user-group membership synced from Okta to AWS Cognito in Just In Time login flow.

Is there any other way to:

  • Have Okta groups reflected in AWS Cognito token as "cognito:groups" and not as custom claims.
  • Have user get the Okta groups as groups attribute in AWS Cognito so that when performing operations like ListUsersInGroup, I get the users by a group name present in Okta.
Topics
Security, Identity, & Compliance
Tags
Amazon Cognito
Language
English
rePost-User-4924522
asked a year ago1257 views
1 Answer
1

AFAIK there is no way to map directly external groups from an IdP to cognito:groups. But you can use a PreTokenGeneration Lambda function to read the custom claim with groups (typically custom:groups) and convert it into a JWT claim named cognito:groups.

Take a look to this sample, I hope it can help you: https://github.com/aws-samples/amazon-cognito-example-for-external-idp/tree/master/lambda/pretokengeneration

profile pictureAWS
mtind
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content