How do I set up OneLogin as a SAML identity provider with an Amazon Cognito user pool?

6 minute read
0

I want to use OneLogin as a Security Assertion Markup Language 2.0 (SAML 2.0) identity provider (IdP) with an Amazon Cognito user pool.

Short description

Amazon Cognito user pools allow sign-in through a third party (federation). This includes through a SAML IdP such as OneLogin. For more information, see Adding user pool sign-in through a third party and Adding SAML identity providers to a user pool. To set up OneLogin as SAML IdP, you need an Amazon Cognito user pool and a OneLogin account with an application on it.

Resolution

Create an Amazon Cognito user pool with an app client and domain name

For more information, see the following articles:

Note: When you create a user pool, the standard attribute email is selected by default. For more information, see User pool attributes.

Create a OneLogin account

  1. Open the OneLogin website, and then choose Free trial.
  2. On the account creation page, under Your OneLogin Domain, note the domain that OneLogin provides.

Create a OneLogin application

  1. On the OneLogin portal page (https://your-new-domain.onelogin.com/portal/), choose Administration.
  2. On the Administration page, hover on Apps, and then choose Add apps.
  3. In the search bar under Find Applications, enter saml, and then choose SAML Test Connector (IdP). The Add SAML Test Connector (IdP) page.
  4. (Optional) On the Add SAML Test Connector (IdP) page, complete any of the following steps:
    For Display Name, enter a name and description. For example, Cognito Setup (IdP).
    For Rectangular Icon and Square Icon, upload thumbnail icons following the specifications on the page.
    For Description, enter a short summary description. For example, For Amazon Cognito user pool.
  5. Choose Save.

Edit your OneLogin application configuration

  1. On the OneLogin portal page (https://your-new-domain.onelogin.com/portal/), choose Configuration.
  2. On the Configuration page, complete the following steps:
    For RelayState, enter a valid URL, such as https://www.example.com.
    For Audience, enter urn:amazon:cognito:sp:yourUserPoolId.
    For Recipient, enter https://yourDomainPrefix.auth.region.amazoncognito.com/saml2/idpresponse.
    For ACS (Consumer) URL Validator, enter https://yourDomainPrefix.auth.region.amazoncognito.com/saml2/idpresponse.
    For ACS (Consumer) URL, enter https://yourDomainPrefix.auth.region.amazoncognito.com/saml2/idpresponse.
    For Single Logout URL, leave the field blank.
    Note: For Audience, replace yourUserPoolId with your Amazon Cognito user pool ID. Find the ID in the Amazon Cognito console on the General settings tab of the management page for your user pool.
    For ACS (Consumer) URL Validator and ACS (Consumer) URL, replace yourDomainPrefix and region with the values for your user pool. Find the values in the Amazon Cognito console on the Domain name tab of the management page for your user pool.

Edit your OneLogin application's parameters

  1. On the OneLogin portal page (https://your-new-domain.onelogin.com/portal/), choose Parameters.
    Note: The Parameters page lists the parameter NameID (fka Email) by default.
  2. To create a new, custom parameter, choose Add parameter.
  3. In the New Field dialog box, for Field name, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier.
  4. For Flags, select the Include in SAML assertion check box.
  5. Choose Save.
  6. For Value, choose Email from the list.
  7. Choose Save.

Copy the IdP metadata for your OneLogin application

  1. On the OneLogin portal page (https://your-new-domain.onelogin.com/portal/), choose SSO.
  2. Under Issuer URL, copy the URL.
  3. Choose Save.

Configure OneLogin as the SAML IdP in Amazon Cognito

To configure OneLogin as the SAML IdP in Amazon Cognito, see Creating and managing a SAML identity provider for a user pool (AWS Management Console). Follow the instructions under To configure a SAML 2.0 identity provider in your user pool. When you create the SAML IdP, for Metadata document, enter the Issuer URL that you copied.

Map the email address from the IdP attribute to the user pool attribute

To map the email address from the IdP attribute to the user pool attribute, see Specifying identity provider attribute mappings for your user pool. Follow the instructions under To specify a SAML provider attribute mapping. When you add a SAML attribute under Attribute mapping, for SAML Attribute, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier. For User pool attribute, choose Email from the list.

Change the app client settings in Amazon Cognito

Note: This is an example setup for testing purposes. For a production setup, it's a best practice to use the Authorization code grant OAuth flow for your app client settings. When you use that flow, you receive an authorization code after authentication in your redirect URL. You must make a request to the token endpoint to exchange the authorization code for JSON web tokens (JWTs).

  1. In the Amazon Cognito console, under App integration, choose App client settings. Then, complete the following steps:
    Under Enabled identity providers, select the Select all check box.
    For Callback URL(s), enter a URL where you want to redirect your users after they log in. For testing, enter any valid URL, such as https://www.example.com.
    For Sign out URL(s), enter a URL where you want to redirect your users after they log out. For testing, enter any valid URL, such as https://www.example.com.
    Under Allowed OAuth Flows, select at least the Implicit grant check box.
    Under Allowed OAuth Scopes, select at least the email and openid check boxes.
  2. Choose Save changes. For more information, see Updating a user pool app client (AWS CLI and AWS API).

Test the login endpoint

  1. In your browser, enter https://yourDomainPrefix.auth.region.amazoncognito.com/login?response_type=token&client_id=yourClientId&redirect_uri=redirectUrl.
    Note: Replace yourDomainPrefix and region with the values for your user pool. Find them in the Amazon Cognito console on the Domain name tab of the management page for your user pool. Replace yourClientId with your app client ID, and replace redirectUrl with your app client callback URL. Find them in the Amazon Cognito console on the App client settings tab of the management page for your user pool. For more information, see How do I configure the hosted web UI for Amazon Cognito? and Login endpoint.
  2. Choose OneLogin.
    Note: If you're redirected to your app client's callback URL, then you're already logged in to your OneLogin account in your browser. Everything is set up correctly.
  3. On the OneLogin page, for Username, enter your OneLogin account username.
  4. Choose Continue.
  5. For Password, enter your OneLogin account password.
  6. Choose Continue.

Related information

Integrating third-party SAML identity providers with Amazon Cognito user pools

SAML user pool IdP authentication flow

AWS OFFICIAL
AWS OFFICIALUpdated 10 months ago
2 Comments

Recently, there was a change that affects this particular integration. For the steps under Edit your OneLogin application configuration, you must now edit your Recipient value to be "https://yourDomainPrefix.auth.region.amazoncognito.com/saml2/idpresponse" or you will experience an error due to the Recipient value being blank.

AWS
replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago