I want to use Okta as a Security Assertion Markup Language 2.0 (SAML 2.0) identity provider (IdP) in an Amazon Cognito user pool.
Short description
Amazon Cognito user pools allow sign-in through a third party (federation), including through an IdP such as Okta. For more information, see Adding user pool sign-in through a third party and Adding SAML identity providers to a user pool.
A user pool integrated with Okta allows users in your Okta app to get user pool tokens from Amazon Cognito. For more information, see Using tokens with user pools.
Resolution
Create an Amazon Cognito user pool with an app client and domain name
- Create a user pool.
Note: During creation, the standard attribute email is selected by default. For more information, see User pool attributes.
- Create an app client in your user pool. For more information, see Add an app client and set up the hosted UI.
Note: When adding an app client, clear the Generate client secret check box. In certain authorization flows, such as the authorization code grant flow and token refresh flow, authorization servers use an app client secret to authorize a client to make requests on behalf of a user. For the implicit grant flow used in this setup, an app client secret isn't required.
- Add a domain name for your user pool.
Sign up for an Okta developer account
Note: If you already have an Okta developer account, sign in.
- On the Okta Developer signup webpage, enter the required information, and then choose SIGN UP. The Okta Developer Team sends a verification email to the email address that you provided.
- In the verification email, find the sign-in information for your account. Choose ACTIVATE MY ACCOUNT, sign in, and finish creating your account.
Create a SAML app in Okta
- Open the Okta Developer Console. For more information, see Okta's Redesigned Admin Console and Dashboard on the Okta website.
- In the navigation menu, expand Applications, and then choose Applications.
- Choose Create App Integration.
- In the Create a new app integration menu, choose SAML 2.0 as the Sign-in method.
- Choose Next.
For more information, see Prepare a SAML integration in the Build a Single Sign-On (SSO) Integration guide on the Okta Developer website.
Configure SAML integration for your Okta app
- On the Create SAML Integration page, under General Settings, enter a name for your app.
- (Optional) Upload a logo and choose the visibility settings for your app.
- Choose Next.
- Under GENERAL, for Single sign on URL, enter https://yourDomainPrefix.auth.region.amazoncognito.com/saml2/idpresponse.
Note: Replace yourDomainPrefix and region with the values for your user pool. Find these values in the Amazon Cognito console on the Domain name page for your user pool.
- For Audience URI (SP Entity ID), enter urn:amazon:cognito:sp:yourUserPoolId.
Note: Replace yourUserPoolId with your Amazon Cognito user pool ID. Find this value in the Amazon Cognito console on the General settings page for your user pool.
- Under ATTRIBUTE STATEMENTS (OPTIONAL), add a statement with the following information:
For Name, enter the SAML attribute name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
For Value, enter user.email.
- For all other settings on the page, leave them as their default values or set them according to your preferences.
- Choose Next.
- Choose a feedback response for Okta Support.
- Choose Finish.
For more information, see Create your integration in the Build a Single Sign-On (SSO) Integration guide on the Okta Developer website.
Assign a user to your Okta application
- On the Assignments tab for your Okta app, for Assign, choose Assign to People.
- Choose Assign next to the user that you want to assign.
Note: If this is a new account, the only option available is to choose yourself (the admin) as the user.
- (Optional) For User Name, enter a username, or leave it as the user's email address, if you want.
- Choose Save and Go Back. Your user is assigned.
- Choose Done.
For more information, see Assign users in the Build a Single Sign-On (SSO) Integration guide on the Okta Developer website.
Get the IdP metadata for your Okta application
On the Sign On tab for your Okta app, find the Identity Provider metadata hyperlink. Right-click the hyperlink, and then copy the URL.
For more information, see Specify your integration settings in the Build a Single Sign-On (SSO) Integration guide on the Okta Developer website.
Configure Okta as a SAML IdP in your user pool
- In the Amazon Cognito console, choose Manage user pools, and then choose your user pool.
- In the left navigation pane, under Federation, choose Identity providers.
- Choose SAML.
- Under Metadata document, paste the Identity Provider metadata URL that you copied.
- For Provider name, enter Okta. For more information, see Choosing SAML identity provider names.
- (Optional) Enter any SAML identifiers (Identifiers (Optional)) and activate sign-out from the IdP (Okta) when your users sign out from your user pool.
- Choose Create provider.
For more information, see Creating and managing a SAML identity provider for a user pool (AWS Management Console).
Map email address from IdP attribute to user pool attribute
- In the Amazon Cognito console, choose Manage user pools, and then choose your user pool.
- In the left navigation pane, under Federation, choose Attribute mapping.
- On the attribute mapping page, choose the SAML tab.
- Choose Add SAML attribute.
- For SAML attribute, enter the SAML attribute name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
- For User pool attribute, choose Email from the list.
For more information, see Specifying identity provider attribute mappings for your user pool.
Change app client settings for your user pool
- In the Amazon Cognito console, choose Manage user pools, and then choose your user pool.
- In the left navigation pane, under App integration, choose App client settings.
- On the app client page, do the following:
Under Enabled Identity Providers, select the Okta and Cognito User Pool check boxes.
For Callback URL(s), enter a URL where you want your users to be redirected after they log in. For testing, enter any valid URL, such as https://www.example.com/.
For Sign out URL(s), enter a URL where you want your users to be redirected after they log out. For testing, enter any valid URL, such as https://www.example.com/.
Under Allowed OAuth Flows, be sure to select at least the Implicit grant check box.
Under Allowed OAuth Scopes, be sure to select at least the email and openid check boxes.
- Choose Save changes.
For more information, see App client settings terminology.
Construct the endpoint URL
Using values from your user pool, construct this login endpoint URL: https://yourDomainPrefix.auth.region.amazoncognito.com/login?response_type=token&client_id=yourClientId&redirect_uri=redirectUrl
Be sure to do the following:
- Replace yourDomainPrefix and region with the values for your user pool. Find these values in the Amazon Cognito console on the Domain name page for your user pool.
- Replace yourClientId with your app client's ID, and replace redirectUrl with your app client's callback URL. Find these values in the Amazon Cognito console on the App client settings page for your user pool.
For more information, see How do I configure the hosted web UI for Amazon Cognito? and Login endpoint.
Test the endpoint URL
- Enter the constructed login endpoint URL in your web browser.
- On your login endpoint webpage, choose Okta.
Note: If you're redirected to your app client's callback URL, you're already logged in to your Okta account in your browser. The user pool tokens appear in the URL in your web browser's address bar.
- On the Okta Sign In page, enter the user name and password for the user that you assigned to your app.
- Choose Sign in.
After logging in, you're redirected to your app client's callback URL. The user pool tokens appear in the URL in your web browser's address bar.
(Optional) Skip the Amazon Cognito hosted UI
If you want your users to skip the Amazon Cognito hosted web UI when signing in to your app, use this endpoint URL instead:
https://yourDomainPrefix.auth.region.amazoncognito.com/oauth2/authorize?response_type=token&identity_provider=samlProviderName&client_id=yourClientId&redirect_uri=redirectUrl&scope=allowedOauthScopes
Be sure to do the following:
- Replace yourDomainPrefix and region with the values for your user pool. Find these values in the Amazon Cognito console on the Domain name page for your user pool.
- Replace samlProviderName with the name of the SAML provider in your user pool (Okta).
- (Optional) If you added an identifier for your SAML IdP earlier in the Identifiers (optional) field, replace identity_provider=samlProviderName with idp_identifier=idpIdentifier, replacing idpIdentifier with your custom identifier string.
- Replace yourClientId with your app client's ID, and replace redirectUrl with your app client's callback URL. Find these values in the Amazon Cognito console on the App client settings page for your user pool.
- Replace allowedOauthScopes with the specific scopes that you want your Amazon Cognito app client to request. For example, scope=email+openid.
For more information, see How do I configure the hosted web UI for Amazon Cognito? and Authorize endpoint.
Related information
SAML user pool IdP authentication flow
How do I set up a third-party SAML identity provider with an Amazon Cognito user pool?
How do I set up Okta as an OpenID Connect identity provider in an Amazon Cognito user pool?