Issue Configuring Amazon Q Business with IAM Identity Center and Microsoft Entra ID (Migrating to Cognito)

Hi,

We are currently attempting to configure Amazon Q Business with AWS IAM Identity Center using trusted identity propagation, following the steps outlined in the AWS Machine Learning Blog post: "https://aws.amazon.com/blogs/machine-learning/configuring-amazon-q-business-with-aws-iam-identity-center-trusted-identity-propagation/"

Initially, we were using Microsoft Entra ID as our OpenID Connect (OIDC) identity provider. We have encountered difficulties at the token exchange stage and are now migrating our approach to use Amazon Cognito as the OIDC provider instead.

Original Approach (Microsoft Entra ID - Failed):

We followed these steps using Microsoft Entra ID:

• Pasted the authorization URL into a web browser and signed in to Azure.
• Obtained the authorization code from the redirect URL.
• Exchanged the authorization code for an access token using the Entra ID token endpoint.
• Attempted to use the AWS CLI command aws sso-oidc create-token-with-iam to exchange the Entra ID token for an IAM Identity Center token. The exact command we used was:

aws sso-oidc create-token-with-iam --region us-east-1 --client-id "arn:aws:iam:::role/service-role/QBusiness-WebExperience" --grant-type authorization_code --code <authorization_code_obtained_from_entra_id> --redirect-uri <redirect_uri_used_in_authorization_request>

--client-id was set to ARN of AWS IAM role (execution role for Qbusiness). --grant-type was authorization_code. --code was the Auth code obtained from Entra ID. --redirect-uri was the same one configured in Entra ID app registration

We received the following error:

We suspect that the issue might be related to the configuration of the trusted token issuer or the audience/client ID mapping between Entra ID and IAM Identity Center. We verified the audience (aud) and issuer (iss) claims in the Entra ID token and confirmed that they matched the configured values in IAM Identity Center.

Current Approach (Migrating to Cognito):

• Given the difficulties with Entra ID, we are now shifting our focus to using Amazon Cognito as the OIDC provider. We plan to:
• Create a Cognito User Pool.
• Configure an App Client within the Cognito User Pool.
• Configure IAM Identity Center to trust Cognito as an OIDC provider.
• Modify our application to authenticate users via Cognito.
• Repeat the token exchange process using the Cognito-issued token.

Questions / Assistance Needed:

We would appreciate assistance with the following:

Confirmation of Cognito as a Suitable OIDC Provider: Is Amazon Cognito a fully supported and recommended OIDC provider for use with Amazon Q Business and IAM Identity Center trusted identity propagation? Are there any known limitations or considerations we should be aware of?

Cognito Configuration Guidance: Are there specific configuration steps or best practices we should follow when setting up Cognito as the OIDC provider for Q Business? Specifically, we are interested in:

Recommended claims to include in the Cognito ID token.

Any specific configurations required in the Cognito App Client.

Troubleshooting create-token-with-iam: Can you provide specific guidance on troubleshooting the aws sso-oidc create-token-with-iam command, especially in the context of using Cognito or identifying the root cause of the previous error with Entra ID (for future reference)? What are the common causes of failure for this command? What logging or debugging steps can we take?

IAM Role Requirements: Can you clarify the precise IAM permissions required for the IAM role used in the --client-id parameter of the create-token-with-iam command? What specific actions and resources are required? Is there a sample IAM policy that we can use as a starting point?

Sample Implementation (Cognito): Do you have any sample code or CloudFormation templates that demonstrate the complete integration of Amazon Q Business, IAM Identity Center, and Amazon Cognito using trusted identity propagation?