By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Logging into Cognito using Python from outiside of AWS using a Federated Login

0

Ultimate aim: To be able to run a Python script on a user's desktop, outside of AWS, without the AWS CLI installed, be authenticated using a Cognito Identity pool against a back-end SAML Idp (specifically this is a federated login). Then using STS retrieve data from Amazon AWS secrets manager.

Short term goal: To be able to run a Python script on a users desktop, outside of AWS, and complete federated authentication using Cognito.

I am really stuck on this one. I have done a lot of Googling and looked at examples, but many of them are based on running Python inside of AWS (such as in Lambda, or on an EC2 instance), rather than completely outside of Amazon, or they depend on having the AWS CLI installed and have already authenticated.

I have configured a Cognito Identity pool, and I think that part is correct.

The closest too working code I have found is:

import boto3

client = boto3.client('cognito-identity','ap-southeast-2')

response = client.get_id(
    AccountId='123xxx',
    IdentityPoolId='ap-southeast-2:123xxx',
    Logins={
        'cognito-idp.ap-southeast-2.amazonaws.com/ap-southeast-2:123xxx': '<JWT ID Token>'
    }
)

But I don't know how to get the "JWT ID Token".

What I am expecting to happen: When trying the authentication a web browser is opened, a redirect happens against the Idp, the user completes the login process, a redirect happens back to Amazon, and then somehow the script gets some kind of authorization which I can then use with the AWS secrets manager.

Topics
Security, Identity, & Compliance
Tags
Amazon Cognito
Language
English
pdath
asked 2 months ago142 views
2 Answers
1

The JWT_ID_Token is typically obtained as part of the authentication response returned by Cognito after a successful federated authentication process. When a user logs in through the SAML Identity Provider (IdP), Cognito handles the authentication flow and issues the JWT_ID_Token, which is included in the response sent back to the application. The token can usually be found within the response body or headers, depending on how the authentication flow is implemented.

profile picture
EXPERT
Osvaldo Marte
answered 2 months ago
0

I'm used to working with SAML, but not Cognito.

Typically the SP (Cognito) makes a call to the Idp. The Idp authenticates the user and then makes a call back to the SP.

Cognito would be the SP in this case. What do I need to do to get Cognito to initiate the login flow and make the call to the Idp?

pdath
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content