By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Getting OKTA OIDC scope "groups" passed through Cognito

0

We're using OKTA as our OIDC provider for SSO via Cognito Hosted UI login. Everything works as expected. We then tried to get access to our OKTA groups claim, which tells us which group a user belongs to in OKTA, and had an OKTA tech set up the groups claim correctly in OKTA admin. We were told that the groups claim would just appear in our JWT id token. It does not appear. We've tried adding "groups" to OpenID Connect scopes in Cognito, but did not see an option to add this. I saw "Custom Scopes" but this is not a connection scope, but rather a resource server security option.

How do we get to see the JWT data so it includes the OKTA groups information?

asked 10 months ago658 views
2 Answers
0

Hello Marcus,

Greetings from AWS Premium Support !

Thank you for contacting us. I understand that you want to have Okta IdP side groups claims in the ID token issued by Cognito for the Okta federated user. Please feel free to correct me in case I have misunderstood your concern.

You need to create a custom attribute in your User Pool [1] and then under the OIDC configuration in your User Pool you need to configure attribute mapping [2] between the Cognito custom attribute and the Okta groups attribute. Also, please make sure that the read/write settings is enabled for your Cognito custom attribute in the App Client settings [3]. With this settings, if your Okta IdP send the group information then you will have that information in the ID token.

I believe the information is helpful to you. If you have any further queries/concerns, then please feel free to reply back. I will be more than happy to assist you.

Wish you an AWeSome day ahead and stay safe ! 🙂

--References--

[1] Create custom attribute in Cognito User Pool

[2] Configure Attribute mapping under OIDC configuration of User Pool

[3] Step 15: "Configure Attribute read and write permissions for this app client"

AWS
SUPPORT ENGINEER
answered 10 months ago
  • Thank you for the response. You mention: "I understand that you want to have Okta IdP side groups claims in the ID token issued by Cognito for the Okta federated user. " I 'm not fully sure if this is the case. We are not using the SAML Federated Identity provider when we fist built our user pool. We followed a tutorial where we first chose Cognito User Poll over Federated Identity provider, created a public client, then added an OIDC Identity Provider with secret, and finally selected Hosted UI, choosing our identity provider over the cognito user pool. Finally, we're using Authorization code grant. Maybe we're saying the same thing. When we log in via the hosted UI we get directed to OKTA for sign in. Everything works as expected. We're able to get the user information from OKTA, and Cognito creates a local version of that user that includes the OKTA client id: new-xx-xx_00uat837xx

    Cognito also creates a group using a naming convention that includes the aws zone, a random number, and the name of our local identity provider.

    The mapping is set from custom:UserType to groups. I'm assuming the Cognito Custom Attribute doesn't have to match the groups attribute name exactly? Its ok to map custom:UserType -> groups rather than custom:groups -> groups? Read/Write permissions are set up accordingly as well.

    If these are correct, this is how Cognito was set up it before I messaged you. Okta claims their end is set up correctly. Any other advice?

    Thank

  • @Marcus DeManly , thank you for your comment. Yes, custom:UserType -> groups mapping should be fine. The name of custom attribute does not matter here.

    However, in the ID token the cognito:groups attribute will only contain the group names in Cognito side. It will NOT contain Okta side group information. It is not possible to add Okta side groups to cognito:groups attribute. However, the custom:UserType attribute should be present in the token if you have followed all the steps I mentioned above and this claim will contain Okta side group information. Your application code need to rely on the custom:UserType claim in ID token for checking the Okta side group names of the user.

    Currently there is no native feature in Cognito service to sync Identity Provider side groups in Cognito User Pool.

0

@Tarit_G - quick update - in my comment above I said we used a public client when it was actually a confidential client

answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions