Configure AWS Cognito as OAuth IDP or Identity Source for SSO

miniOrange Identity Broker service solution enables cross protocol authentication. You can configure AWS Cognito as an Identity Provider (IDP) for Single Sign-On (SSO) into your applications/websites, or configure it as an Identity Source to authenticate users from AWS Cognito user pools.

We offer a pre-built solution for integrating with AWS Cognito, making it easier and quick to implement. You can configure AWS Cognito as an OAuth/OIDC IDP for SSO login, or set it up as an Identity Source to use AWS Cognito as your identity source for user authentication.

Get Free Installation Help

miniOrange offers free help through a consultation call with our System Engineers to configure SSO for different apps using AWS Cognito as IDP in your environment with 30-day free trial.

For this, you need to just send us an email at idpsupport@xecurify.com to book a slot and we'll help you in no time.

Prerequisites

Please make sure your organisation branding is already set under Customization >> Login and Registration Branding in the left menu of the dashboard.

Follow the Step-by-Step Guide given below for AWS Cognito Single Sign-On (SSO)

1. Configure miniOrange as Service Provider in AWS Cognito

Note: If you would like to customize the AWS login page kindly choose AWS as the Userstore. For the default AWS login page, you can go with AWS as IdP configurations.

Configure miniOrange as SP in AWS Cognito
Configure miniOrange as Userstore in AWS Cognito

Follow this guide to configure AWS Cognito as OAuth IDP for SSO:

AWS Cognito Single Sign On (SSO) : Login to Amazon Console

Search for Cognito in the AWS Services search bar as shown below.

Search for Cognito in AWS Services to configure SSO

Click on Create user pool button to create a new user pool.

AWS Cognito OAuth/OpenID Single Sign On (SSO) : Click Create user pool

Choose the attributes in your Cognito user pool to be used during the sign-in process.

AWS Cognito OAuth/OpenID Single Sign On (SSO) : Choose attribute in Cognito user pool

Set up a strong password to configure your security requirements. Go ahead with the ‘No MFA’ option if you want users to only sign in with a single authentication factor. If you wish to enable MFA (Multi-factor authentication) it will require SMS messages which are charged separately by Amazon SNS. Learn more about that here. Click Next.

AWS Cognito OAuth/OpenID Single Sign On (SSO) : Go head with No MFA

AWS Cognito OAuth/OpenID Single Sign On (SSO)

Configure attributes that would be required during the user sign-up flow.

AWS Cognito OAuth/OpenID Single Sign On (SSO): Configure Attribute

Choose additional attributes if you wish to. Click Next.

AWS Cognito OAuth/OpenID Single Sign On (SSO): Click Next

Configure how your user pool sends email messages to users.

AWS Cognito OAuth/OpenID Single Sign On (SSO): Choose Send and Email message

Enter a name for your user pool, Also Under Hosted authentication pages, check ‘Use the Cognito Hosted UI’.

AWS Cognito OAuth/OpenID Single Sign On (SSO): Enter a name of your user pool

Now, Under the Domain section choose the domain type as ‘Use a Cognito domain’. Enter a domain name for your Cognito app.

AWS Cognito OAuth/OpenID Single Sign On (SSO) : Enter a Domain name

Under the Initial app client section, Enter a name for your app client and check on Generate a client secret.

AWS Cognito OAuth/OpenID Single Sign On (SSO): Enter name of your App client

Now, go to miniOrange Admin Console.
From the left navigation bar select Identity Providers >> click Add Identity Provider.

AWS Cognito SSO: Go to Identity Providers

In Choose Identity Provider, select OAuth/OpenID from the dropdown.

Azure AD as IDP: Select OAuth/OpenID from dropdown

Search for AWS Cognito in the list. If you don’t find it, search for OAuth Provider and set up your application there.

Keep the OAuth Callback URL as Redirect URL, which will be needed in the next steps.

AWS Cognito Single Sign On: Copy OAuth Callback URL

Now, Under Advanced app client settings, select Identity provider as Cognito user pool & Select Authorization code grant under the OAuth 2.0 grant types and also select openid,email and profile checkboxes under the OpenID Connect scopes section (Please refer to the image below).
Click on the Next button to save your configurations.

Now, Review your selection of requirements. Click Create user pool to confirm the selection and create a user pool.

After successfully creating your user pool, Select your pool name from the list of pools to start with user creation.

Go to the Users tab, and click Create user.

Enter details such as username, email address & password. Click on Create user to save the details.

You have Successfully complete AWS Cognito side configuration.

Follow this guide to configure AWS Cognito as Identity Source for user authentication:

A. Steps to Configure User Pool

Sign in to AWS Amazon.
Now enter "Cognito" in search text box & select Cognito from dropdown.

Search and select Cognito from AWS console

Go to "Manage your user pools".

Click on "Create a user pool".

Add pool name and select "Review Defaults".

Click on Edit icon as shown in the below image.

Now, Enable the Email Address and Phone Number option and click on Next step button.

Enable Email Address Phone Number AWS Cognito

Click on "Add app client" & then click on Add an app client.

Enter App client name & Disable Generate Client Secret option. Enable the Username Password based authentication option,then Click on "Create app client".

Create app client AWS Cognito disable client secret

Authentication flow configuration AWS Cognito app client

Click on Return to Pool Details to come back to your configuration.

Click on Create Pool button to save your settings and create a user pool.

Create Pool button AWS Cognito user pool

In the navigation bar present on the left side, click on the App Client Settings option under the App Integration menu.

App Client Settings AWS Cognito user pool

Go to the Cognito dashboard and select “Cognito User Pool”, add callback URL which you have copied from Pre-requisite.
Add application home page URL has to Sign out URL.
Also, select Authorization code grant as “Allowed OAuth Flows” & select email, OpenID, Profile as “Allowed OAuth Scopes”.
After selecting all details click on Save changes button.

Save changes AWS Cognito App Client Settings

Go to "App client" and click on "Show details" to get a client ID. (Keep client ID handy as you will need it later.)

Go to domain name and enter a domain name for your app. After adding domain name you can check its availability by clicking on "Check availability" button. After entering valid domain name click "Save changes" button.

Complete domain name: The complete domain name that you need to enter in miniOrange dashboard is {your domain name}.auth.{region name}.amazoncognito.com
Add Users/Groups to Cognito App: Go to Users and groups and then click on Users. After this click on Create user.

Fill all required information's and click on Create user.

Click on Groups and then click on Create group.

Fill all required information's and click on Create group.

B. Steps to Configure Identity Pool

Go to Federated Identities and click on Create new Identity pool button.

Enter Identity pool name and enable Unauthenticated identities and Authentication flow settings, then click on Create pool button.

Create Identity pool AWS Cognito configuration

Click on Allow button and you will get the Identity Pool Id.

2. Configure AWS Cognito as Userstore OR IDP in miniOrange

Configure AWS Cognito as IDP in miniOrange
Configure AWS Cognito as Userstore in miniOrange

Go to miniOrange Admin Console.
From the left navigation bar select Identity Providers >> Add Identity Provider.

Select Identity Providers and Add Identity Provider miniOrange Admin Console

Select OAuth/OpenID from All type dropdown.

Select OAuth/OpenID from All type dropdown

Search for OAuth Provider and select it from the list.

Search OAuth Provider from identity provider list

Navigate to the App Integration section in AWS Amazon and copy the full domain name in this format: {your domain name}.auth.{region name}.amazoncognito.com for later use.

App Integration tab AWS Cognito domain name

Still in the App Integration tab, scroll down to the App clients and analytics section and click on your App client name to see the Client ID and Client Secret.

App clients and analytics section AWS Cognito

Get Client ID and Client Secret AWS Cognito

In the Basic tab of miniOrange Admin Console, enter the values as required.

Display Name	Custom Provider
OAuth Authorize Endpoint	https://{cognito-app-domain}/oauth2/authorize
OAuth Access Token Endpoint	https://{cognito-app-domain}/oauth2/token
OAuth Get User Info Endpoint (optional)	https://{cognito-app-domain}/oauth2/userInfo
Client ID	From above step
Client secret	From above step
Scope	openid email phone profile

Enter AWS Cognito OAuth IDP configuration details Basic tab

Click on Save to save the configuration.

Go to miniOrange Admin Console.
From the left navigation bar select Identity Providers >> Add Identity Provider.

Add Identity Provider miniOrange Admin Console

Under the Choose Identity Provider, select API from All type dropdown.

Select API from Choose Identity Provider dropdown

Search for AWS Cognito and select it from the list.

Select AWS Cognito userstore from identity provider list

Under Basic tab, enter the following values.

AWS Cognito userstore Basic configuration tab

AWS Cognito Identifier	Provider Name
AWS Cognito Region	Get Cognito region from user pool (e.g., us-east-2)
Identity Pool ID	From step 1.2
User Pool ID	From step 1.1
Client ID	From step 1.1

Now you can click on Next button to proceed.

In Advanced tab, enter the following values.

Domain Mapping	Enter comma separated domain names for domain mapping.
Fallback Authentication	Enable this option for fallback authentication if primary authentication fails.

AWS Cognito userstore Advanced settings Domain Mapping Fallback Authentication

Go to the Attributes tab and configure the attributes for the AWS Cognito userstore.

Send Custom Attributes, if you enable this option, then only the attributes configured below will be sent in attributes at the time of login.
Click on Add Attribute to add a new attribute.

Enter the Attribute Name sent to SP and Attribute Name from IdP/User store values.
Example: email → Email, first_name → FirstName

Map custom attributes AWS Cognito userstore Attributes tab

Click on Save to save the attribute.

3. Test Connection

Visit your Login Page URL.
Go to Identity Providers tab.
Search for your app, click the three dots in the Actions menu, and select Test Connection against the Identity Provider (IDP) you configured.

On entering valid AWS Cognito credentials (credentials of user assigned to app created in AWS Cognito), you will see a pop-up window which is shown in the below screen.

Hence your configuration of AWS Cognito as IDP in miniOrange is successfully completed.

Note:

You can follow this guide, if you want to configure SAML/WS-FED, OAuth/OIDC, JWT, Radius etc

Configure Attribute Mapping

Go to Identity Providers.
Click the three dots in the Actions menu, and select Attribute Mapping against the Identity Provider (IDP) you configured.

Attribute Type - USER
Attribute Type - EXTERNAL

Maps information, such as email and username, during Just-In-Time (JIT) user creation. Email and Username attributes are necessary to create the user profile.

Click on the + Add Attribute button to add the attribute fields.

AWS Cognito Single Sign-On SSO Map USER Attribute

Check the attributes in the Test Connection window from the previous step. Choose any attribute names you want to send to your application under Attribute Name sent to SP.
Enter the values of the attributes coming from IdP into the Attribute Name from IdP field on the Xecurify side.

EXTERNAL mappings help alter incoming attribute names before sending them to apps, ensuring that the data is in the correct format.

Click on the + Add Attribute button to add the attribute fields.

AWS Cognito Single Sign-On SSO Map EXTERNAL Attribute

Check attributes in test connection window from last step. Enter the attribute names (any name) that you want to send to your application under Attribute Name sent to SP.
Enter the value of attributes that are coming from IdP into the Attribute Name from IdP field on the Xecurify side.

Configure Multiple IDPs:

You can follow this guide, if you want to configure multiple IDPs (Identity Providers) and give users the option to select the IDP of their choice to authenticate with.

Troubleshooting

You receive these error message when you try to SSO in to an application that has been set up to use AWS Cognito as External IdP using OAuth based Single Sign-On (SSO).

Error - Invalid redirect_uri

This error occurs when the redirect URI specified in the authentication request doesn’t match the one registered in Cognito.

Verify that the correct redirect URI is configured under App Client Settings in the AWS Cognito console.
Ensure the redirect URL in your OAuth client matches exactly with the one in Cognito, including case sensitivity.

Error - invalid_client

This error typically arises when the Client ID or Client Secret in the OAuth request is incorrect.

Double-check the Client ID and Secret values in the App Clients section of your Cognito user pool and ensure they are used correctly in your application's OAuth requests.

Error - Missing required scopes

If your OAuth request lacks necessary scopes (e.g., 'openid', 'email', or 'profile'), AWS Cognito will throw this error.

Go to App Client Settings in the Cognito user pool and ensure the relevant Auth scopes are enabled.
Also, confirm the scopes are included in your OAuth authorization request.

Error - invalid_grant

This error often occurs if there is an issue with the authorization code or refresh token used to get tokens.

It can happen if the authorization code has expired or has already been used.
Ensure your authorization codes are being used correctly and have not expired. Additionally, check if the refresh token has expired.

Error - unauthorized_client

This means the OAuth client (application) is not allowed to use the specific flow (e.g., authorization code, implicit, or client credentials).

Go to App Client Settings in the AWS Cognito console and confirm that the correct grant types are enabled, such as Authorization code grant, Implicit grant, etc., depending on your application’s flow.

Error - access_denied

This occurs when the user denies consent or the client app doesn’t have permission to request specific scopes.

Make sure the user has provided proper consent for the required scopes.
Also, ensure the requested scopes are available and authorized in the App Client Settings.

Contents