Map Azure SAML missing "Additional claims" in Cognito
I have some "Additional claims" in Azure AD, that are not being mapped in Cognito, and some others are mapped. All the "Additional claims" are coming as part of the SAML response, so, they are present, but for some reason, Cognito is not mapping them.
Example:
I've created this attribute in Azure SSO:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/username whit this transformation xtractMailPrefix (user.userprincipalname),
Then I have a mapping in my SAML config in Cognito that should map that attribute from the Azure SAML response:
AttributeStatement session in the SAML response that AzureIdP is sending to Cognito.
<AttributeStatement>
<Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
<AttributeValue>value</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
<AttributeValue>value</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
<AttributeValue>vale</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
<AttributeValue>vale</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
<AttributeValue>value</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
<AttributeValue>value</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
<AttributeValue>value</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>value</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<AttributeValue>value</AttributeValue>
</Attribute>
<Attribute Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName">
<AttributeValue>value</AttributeValue>
</Attribute>
<Attribute Name="https://aws.amazon.com/SAML/Attributes/SessionDuration">
<AttributeValue>value</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/username">
<AttributeValue>value</AttributeValue>
</Attribute>
</AttributeStatement>
Note: The attributes that Cognito is not mapping are present in the SAML response from Azure, but when the user is created in the pool, those attributes are not there. But the attribute is never saved in the Cognito user pool after the user is Signed up. What am I missing here? Thank you
- Newest
- Most votes
- Most comments
Thank you for post a snip of the SAML assertion. This is very helpful. Based on what you posted, sounds like you are doing everything the documentation requires. Sounds like it is time to engage our technical support - which I recognize that you might have already done so due to the question's age.
Relevant content
- asked 2 years ago
AWS OFFICIALUpdated 3 years ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 7 months ago
