We have created a SAML application which allows portal users to do SSO and log into an internal platforms.
The way this is configured is as follows:
- IAM Identity Center contains the users and groups. It also has a SAML application to allow for the login flow to work.
- Cognito User Pool with Federated Identity Provider sign-in that points towards the IAM Identity sso portal (portal.sso.us-east-1.amazonaws.com)
The authentication process works fine. However, it looks like the IAM Identity Center groups are not being properly synced into the Cognito User Pool.
When you login -- a group is automatically created and all users are assigned to that single group. However their groups from IAM Identity Center are not auto synced.
Is there a particular setting that needs to be enabled for this to work?
I thought the same thing, but Cognito doesn't seem to have such an option to map the external groups. Also, in the Identity Center docs there are no
roles
attributes mentioned https://docs.aws.amazon.com/singlesignon/latest/userguide/attributemappingsconcept.html so I'm scratching my head how this should be done. Do you have any links to docs that might be helpful?