How do I set up OneLogin as a SAML identity provider with an Amazon Cognito user pool?
I want to use OneLogin as a Security Assertion Markup Language 2.0 (SAML 2.0) identity provider (IdP) with an Amazon Cognito user pool.
Short description
Amazon Cognito user pools allow sign-in through a third party (federation). This includes through a SAML IdP such as OneLogin. For more information, see Adding user pool sign-in through a third party and Adding SAML identity providers to a user pool. To set up OneLogin as SAML IdP, you need an Amazon Cognito user pool and a OneLogin account with an application on it.
Resolution
Create an Amazon Cognito user pool with an app client and domain name
For more information, see the following articles:
- Tutorial: Creating a user pool
- Setting up the hosted UI with the Amazon Cognito Console
- Configuring a user pool domain
Note: When you create a user pool, the standard attribute email is selected by default. For more information, see User pool attributes.
Create a OneLogin account
- Open the OneLogin website, and then choose Free trial.
- On the account creation page, under Your OneLogin Domain, note the domain that OneLogin provides.
Create a OneLogin application
- On the OneLogin portal page (https://your-new-domain.onelogin.com/portal/), choose Administration.
- On the Administration page, hover on Apps, and then choose Add apps.
- In the search bar under Find Applications, enter saml, and then choose SAML Test Connector (IdP). The Add SAML Test Connector (IdP) page.
- (Optional) On the Add SAML Test Connector (IdP) page, complete any of the following steps:
For Display Name, enter a name and description. For example, Cognito Setup (IdP).
For Rectangular Icon and Square Icon, upload thumbnail icons following the specifications on the page.
For Description, enter a short summary description. For example, For Amazon Cognito user pool. - Choose Save.
Edit your OneLogin application configuration
- On the OneLogin portal page (https://your-new-domain.onelogin.com/portal/), choose Configuration.
- On the Configuration page, complete the following steps:
For RelayState, enter a valid URL, such as https://www.example.com.
For Audience, enter urn:amazon:cognito:sp:yourUserPoolId.
For Recipient, enter https://yourDomainPrefix.auth.region.amazoncognito.com/saml2/idpresponse.
For ACS (Consumer) URL Validator, enter https://yourDomainPrefix.auth.region.amazoncognito.com/saml2/idpresponse.
For ACS (Consumer) URL, enter https://yourDomainPrefix.auth.region.amazoncognito.com/saml2/idpresponse.
For Single Logout URL, leave the field blank.
Note: For Audience, replace yourUserPoolId with your Amazon Cognito user pool ID. Find the ID in the Amazon Cognito console on the General settings tab of the management page for your user pool.
For ACS (Consumer) URL Validator and ACS (Consumer) URL, replace yourDomainPrefix and region with the values for your user pool. Find the values in the Amazon Cognito console on the Domain name tab of the management page for your user pool.
Edit your OneLogin application's parameters
- On the OneLogin portal page (https://your-new-domain.onelogin.com/portal/), choose Parameters.
Note: The Parameters page lists the parameter NameID (fka Email) by default. - To create a new, custom parameter, choose Add parameter.
- In the New Field dialog box, for Field name, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier.
- For Flags, select the Include in SAML assertion check box.
- Choose Save.
- For Value, choose Email from the list.
- Choose Save.
Copy the IdP metadata for your OneLogin application
- On the OneLogin portal page (https://your-new-domain.onelogin.com/portal/), choose SSO.
- Under Issuer URL, copy the URL.
- Choose Save.
Configure OneLogin as the SAML IdP in Amazon Cognito
To configure OneLogin as the SAML IdP in Amazon Cognito, see Creating and managing a SAML identity provider for a user pool (AWS Management Console). Follow the instructions under To configure a SAML 2.0 identity provider in your user pool. When you create the SAML IdP, for Metadata document, enter the Issuer URL that you copied.
Map the email address from the IdP attribute to the user pool attribute
To map the email address from the IdP attribute to the user pool attribute, see Specifying identity provider attribute mappings for your user pool. Follow the instructions under To specify a SAML provider attribute mapping. When you add a SAML attribute under Attribute mapping, for SAML Attribute, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier. For User pool attribute, choose Email from the list.
Change the app client settings in Amazon Cognito
Note: This is an example setup for testing purposes. For a production setup, it's a best practice to use the Authorization code grant OAuth flow for your app client settings. When you use that flow, you receive an authorization code after authentication in your redirect URL. You must make a request to the token endpoint to exchange the authorization code for JSON web tokens (JWTs).
- In the Amazon Cognito console, under App integration, choose App client settings. Then, complete the following steps:
Under Enabled identity providers, select the Select all check box.
For Callback URL(s), enter a URL where you want to redirect your users after they log in. For testing, enter any valid URL, such as https://www.example.com.
For Sign out URL(s), enter a URL where you want to redirect your users after they log out. For testing, enter any valid URL, such as https://www.example.com.
Under Allowed OAuth Flows, select at least the Implicit grant check box.
Under Allowed OAuth Scopes, select at least the email and openid check boxes. - Choose Save changes. For more information, see Updating a user pool app client (AWS CLI and AWS API).
Test the login endpoint
- In your browser, enter https://yourDomainPrefix.auth.region.amazoncognito.com/login?response_type=token&client_id=yourClientId&redirect_uri=redirectUrl.
Note: Replace yourDomainPrefix and region with the values for your user pool. Find them in the Amazon Cognito console on the Domain name tab of the management page for your user pool. Replace yourClientId with your app client ID, and replace redirectUrl with your app client callback URL. Find them in the Amazon Cognito console on the App client settings tab of the management page for your user pool. For more information, see How do I configure the hosted web UI for Amazon Cognito? and Login endpoint. - Choose OneLogin.
Note: If you're redirected to your app client's callback URL, then you're already logged in to your OneLogin account in your browser. Everything is set up correctly. - On the OneLogin page, for Username, enter your OneLogin account username.
- Choose Continue.
- For Password, enter your OneLogin account password.
- Choose Continue.
Related information
Integrating third-party SAML identity providers with Amazon Cognito user pools
Recently, there was a change that affects this particular integration. For the steps under Edit your OneLogin application configuration, you must now edit your Recipient value to be "https://yourDomainPrefix.auth.region.amazoncognito.com/saml2/idpresponse" or you will experience an error due to the Recipient value being blank.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
相關內容
- 已提問 2 個月前lg...
- 已提問 1 年前lg...
- AWS 官方已更新 1 年前
- AWS 官方已更新 7 個月前
- AWS 官方已更新 2 年前
- AWS 官方已更新 1 年前