Meet us at Infosecurity '25 Europe to explore our solutions.
  Login  
Hello there!

Need Help? We are right here!

Support Icon
miniOrange Email Support
success

Thanks for your Enquiry. Our team will soon reach out to you.

If you don't hear from us within 24 hours, please feel free to send a follow-up email to info@xecurify.com

Search Results:

×

Configure AWS Cognito as OAuth IDP for SSO

miniOrange Identity Broker service solution enables cross protocol authentication. You can configure AWS Cognito as an IDP for Single Sign-On (SSO) into your applications/websites. Here, AWS Cognito will act as an Identity Provider (IDP) and miniOrange will act as a broker.

We offer a pre-built solution for integrating with AWS Cognito, making it easier and quick to implement. Our team can also help you set up AWS Cognito as OIDC IDP to login into your applications.


Get Free Installation Help


miniOrange offers free help through a consultation call with our System Engineers to configure SSO for different apps using AWS Cognito as IDP in your environment with 30-day free trial.

For this, you need to just send us an email at idpsupport@xecurify.com to book a slot and we'll help you in no time.



Prerequisites

Please make sure your organisation branding is already set under Customization >> Login and Registration Branding in the left menu of the dashboard.


Follow the Step-by-Step Guide given below for AWS Cognito Single Sign-On (SSO)

1. Configure miniOrange as Service Provider in AWS Cognito


Note: If you would like to customize the AWS login page kindly choose AWS as the Userstore. For the default AWS login page, you can go with AWS as IdP configurations.




    1.1 Configuring miniOrange as Service Provider (SP) in AWS Cognito

    • Sign in to AWS Amazon.
      • AWS Cognito Single Sign On (SSO) : Login to Amazon Console

    • Search for Cognito in the AWS Services search bar as shown below.
      • Search for Cognito in AWS Services to configure SSO

    • Click on Create user pool button to create a new user pool.
      • AWS Cognito OAuth/OpenID Single Sign On (SSO) : Click Create user pool

    • Choose the attributes in your Cognito user pool to be used during the sign-in process.
      • AWS Cognito OAuth/OpenID Single Sign On (SSO) : Choose attribute in Cognito user pool

    • Set up a strong password to configure your security requirements. Go ahead with the ‘No MFA’ option if you want users to only sign in with a single authentication factor. If you wish to enable MFA (Multi-factor authentication) it will require SMS messages which are charged separately by Amazon SNS. Learn more about that here. Click Next.
      • AWS Cognito OAuth/OpenID Single Sign On (SSO) : Go head with No MFA

      AWS Cognito OAuth/OpenID Single Sign On (SSO)

    • Configure attributes that would be required during the user sign-up flow.
      • AWS Cognito OAuth/OpenID Single Sign On (SSO) : Configure Attribute

    • Choose additional attributes if you wish to. Click Next.
      • AWS Cognito OAuth/OpenID Single Sign On (SSO) : Click Next

    • Configure how your user pool sends email messages to users.
      • AWS Cognito OAuth/OpenID Single Sign On (SSO) : Choose Send and Email message

    • Enter a name for your user pool, Also Under Hosted authentication pages, check ‘Use the Cognito Hosted UI’.
      • AWS Cognito OAuth/OpenID Single Sign On (SSO) : Enter a name of your user pool

    • Now, Under the Domain section choose the domain type as ‘Use a Cognito domain’. Enter a domain name for your Cognito app.
      • AWS Cognito OAuth/OpenID Single Sign On (SSO) : Enter a Domain name

    • Under the Initial app client section, Enter a name for your app client and check on Generate a client secret.
      • AWS Cognito OAuth/OpenID Single Sign On (SSO) : Enter name of your App client

    • Now, go to miniOrange Admin Console.
    • From the left navigation bar select Identity Providers and Click on Add Identity Provider button.
      • AWS Cognito OAuth/OpenID Single Sign On (SSO) : Go to Identity Providers

    • Select OAuth 2.0 and copy the OAuth Callback URL, which will be needed in the next steps.
      • AWS Cognito OAuth/OpenID Single Sign On (SSO) : Select OAuth 2.0

    • Now enter your OAuth Callback URL which you will get from your miniOrange plugin present on your Client side and paste it under the Allowed callback URLs text-field. Also refer the following image for choosing the authentication flows for your app.
      • AWS Cognito OAuth/OpenID Single Sign On (SSO)

    • Now, Under Advanced app client settings, select Identity provider as Cognito user pool & Select Authorization code grant under the OAuth 2.0 grant types and also select openid,email and profile checkboxes under the OpenID Connect scopes section (Please refer to the image below).
    • Click on the Next button to save your configurations.
      • AWS Cognito OAuth/OpenID Single Sign On (SSO)

    • Now, Review your selection of requirements. Click Create user pool to confirm the selection and create a user pool.
      • AWS Cognito OAuth/OpenID Single Sign On (SSO)

      AWS Cognito OAuth/OpenID Single Sign On (SSO)

    • After successfully creating your user pool, Select your pool name from the list of pools to start with user creation.
      • AWS Cognito OAuth/OpenID Single Sign On (SSO)

    • Go to the Users tab, and click Create user.
      • AWS Cognito OAuth/OpenID Single Sign On (SSO)

    • Enter details such as username, email address & password. Click on Create user to save the details.
      • AWS Cognito OAuth/OpenID Single Sign On (SSO)

    • You have Successfully complete AWS Cognito side configuration.

1.1 Configuring miniOrange as Userstore in AWS Cognito

    A] Steps to Configure User Pool

    • Sign in to AWS Amazon.
    • Now enter “Cognito” in search text box & select Cognito from dropdown.
      • AWS cognito SSO Login Cognito

    • Go to “Manage your user pools”.
      • OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Manage user pools

    • Click on “Create a user pool”.
      • OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Create a user pool

    • Add pool name and select “Review Defaults”.
      • OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Review Defaults

    • Click on Edit icon as shown in the below image.
      • OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Edit

    • Now, Enable the Email Address and Phone Number option and click on Next step button.
      • OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO configure email address and phone number

      OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Add app client

    • Click on “Add app client” & then click on Add an app client.
      • OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Add app client

    • Enter App client name & Disable Generate Client Secret option. Enable the Username Password based authentication option,then Click on “Create app client”.
      • OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Create app client

      OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Create app client

    • Click on Return to Pool Details to come back to your configuration.
      • OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login return to aws pool

    • Click on Create Pool button to save your settings and create a user pool.
      • OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Create a AWS user pool

    • In the navigation bar present on the left side, click on the App Client Settings option under the App Integration menu.
      • OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login go to app client settings

    • Go to the Cognito dashboard and select “Cognito User Pool”, add callback URL which you have copied from Pre-requisite.
    • Add application home page URL has to Sign out URL.
    • Also, select Authorization code grant as “Allowed OAuth Flows” & select email, OpenID, Profile as “Allowed OAuth Scopes”.
    • After selecting all details click on Save changes button.
      • OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Save changes

    • Go to “App client” and click on “Show details” to get a client ID. (Keep client ID handy as you will need it later.)
      • OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login get client ID details

    • Go to domain name and enter a domain name for your app. After adding domain name you can check its availability by clicking on “Check availability” button. After entering valid domain name click "Save changes” button.
      • OAuth/OpenID/OIDC Single Sign-On (SSO) - AWS cognito SSO Login domain name

    • Complete domain name: The complete domain name that you need to enter in miniOrange dashboard is {your domain name}.auth.{region name}.amazoncognito.com
    • Add Users / Groups to Cognito App : Go to Users and groups and then click on Users. After this click on Create user.
      • OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Add Users / Groups

    • Fill all required information's and click on Create user.
      • OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Create user

    • Click on Groups and then click on Create group.
      • OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Groups
    • Fill all required information's and click on Create group.
      • OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Create group

    B] Steps to Configure Identity Pool

    • Go to Federated Identities and click on Create new Identity pool button.
      • AWS cognito SSO Login : Select Identity Pool

    • Enter Identity pool name and enable Unauthenticated identities and Authentication flow settings, then click on Create pool button.
      • AWS cognito SSO Login : Create new user Pool

    • Click on Allow button and you will get the Identity Pool Id.
      • AWS cognito OAuth SSO : Get Cognito Identity Pool ID

2. Configure AWS Cognito as Userstore OR IDP in miniOrange



  • Go to miniOrange Admin Console.
  • From the left navigation bar select Identity Providers >> Add Identity Provider. Select OAuth 2.0.
    • AWS Cognito SSO : Select Identity Providers

    Select OAuth

  • Navigate to the App Integration section in AWS Amazon and copy the full domain name in this format: {your domain name}.auth.{region name}.amazoncognito.com for later use.
    • AWS Cognito OAuth/OpenID Single Sign On (SSO)

  • Still in the App Integration tab, scroll down to the App clients and analytics section and click on your App client name to see the Client ID and Client Secret.
    • AWS Cognito OAuth/OpenID Single Sign On (SSO) : In App Integration sroll to App clients and analytics

    AWS Cognito OAuth/OpenID Single Sign On (SSO) : Copy Client ID and Client secret

  • In the miniOrange Admin Console, enter the values as required.
    IdP Name Custom Provider
    IdP Display Name Choose appropriate Name
    OAuth Authorize Endpoint https://{cognito-app-domain}/oauth2/authorize
    OAuth Access Token Endpoint https://{cognito-app-domain}/oauth2/token
    OAuth Get User Info Endpoint (optional) https://{cognito-app-domain}/oauth2/userInfo
    Client ID From above step
    Client secret From above step
    Scope openid email phone profile
    • AWS Cognito OAuth/OpenID Single Sign On (SSO) : Enter AWS Cognito IDP details

  • Go to miniOrange Admin Console.
  • From the left navigation bar select External Directories and Click on Add Directory button.
    • AWS Cognito OAuth/OpenID Single Sign On (SSO) : Go to External Directories and click Add Directory

  • Select AWS Cognito.
    • AWS Cognito OAuth/OpenID Single Sign On (SSO) : Select AWS Cognito Directories

  • Enter the following values.
    AWS Cognito Identifier Provider Name
    AWS Cognito Region Get Cognito region from user pool(eg.us-east-2)
    Identity Pool ID From step 1.2
    User Pool ID From step 1.1
    Client ID From step 1.1
    • AWS Cognito OAuth/OpenID Single Sign On (SSO) : Enter the AWS Userstore values

  • Now you can click on Save.

3. Test Connection

  • Visit your Login Page URL.
  • Go to Identity Providers tab.
  • Click on Select >> Test Connection option against the Identity Provider (IDP) you configured.
    • AWS Cognito-IDP-TestConnection

  • On entering valid AWS Cognito credentials (credentials of user assigned to app created in AWS Cognito), you will see a pop-up window which is shown in the below screen.
    • SucessTestConn-AWS Cognito-IDP

  • Hence your configuration of AWS Cognito as IDP in miniOrange is successfully completed.

Note:

You can follow this guide, if you want to configure SAML/WS-FED, OAuth/OIDC, JWT, Radius etc


Configure Attribute Mapping

  • Go to Identity Providers >> View Identity Providers >> Your configured AWS Cognito as IdP.
  • Now click on Select and then Configure Attribute Mapping of your application.
    • AWS Cognito Single Sign-On SSO Select and Configure Attribute Mapping


Maps information, such as email and username, during Just-In-Time (JIT) user creation. Email and Username attributes are necessary to create the user profile.

  • Click on the + Add Attribute button to add the attribute fields.
    • AWS Cognito Single Sign-On SSO Map USER Attribute

  • Check the attributes in the Test Connection window from the previous step. Choose any attribute names you want to send to your application under Attribute Name sent to SP.
  • Enter the values of the attributes coming from IdP into the Attribute Name from IdP field on the Xecurify side.

EXTERNAL mappings help alter incoming attribute names before sending them to apps, ensuring that the data is in the correct format.

  • Click on the + Add Attribute button to add the attribute fields.
    • AWS Cognito Single Sign-On SSO Map EXTERNAL Attribute

  • Check attributes in test connection window from last step. Enter the attribute names (any name) that you want to send to your application under Attribute Name sent to SP.
  • Enter the value of attributes that are coming from IdP into the Attribute Name from IdP field on the Xecurify side.

Configure Multiple IDPs:

You can follow this guide, if you want to configure multiple IDPs (Identity Providers) and give users the option to select the IDP of their choice to authenticate with.


Troubleshooting

You receive these error message when you try to SSO in to an application that has been set up to use AWS Cognito as External IdP using OAuth based Single Sign-On (SSO).

Error - Invalid redirect_uri

This error occurs when the redirect URI specified in the authentication request doesn’t match the one registered in Cognito.

  • Verify that the correct redirect URI is configured under App Client Settings in the AWS Cognito console.
  • Ensure the redirect URL in your OAuth client matches exactly with the one in Cognito, including case sensitivity.

Error - invalid_client

This error typically arises when the Client ID or Client Secret in the OAuth request is incorrect.

  • Double-check the Client ID and Secret values in the App Clients section of your Cognito user pool and ensure they are used correctly in your application's OAuth requests.

Error - Missing required scopes

If your OAuth request lacks necessary scopes (e.g., 'openid', 'email', or 'profile'), AWS Cognito will throw this error.

  • Go to App Client Settings in the Cognito user pool and ensure the relevant Auth scopes are enabled.
  • Also, confirm the scopes are included in your OAuth authorization request.

Error - invalid_grant

This error often occurs if there is an issue with the authorization code or refresh token used to get tokens.

  • It can happen if the authorization code has expired or has already been used.
  • Ensure your authorization codes are being used correctly and have not expired. Additionally, check if the refresh token has expired.

Error - unauthorized_client

This means the OAuth client (application) is not allowed to use the specific flow (e.g., authorization code, implicit, or client credentials).

  • Go to App Client Settings in the AWS Cognito console and confirm that the correct grant types are enabled, such as Authorization code grant, Implicit grant, etc., depending on your application’s flow.

Error - access_denied

This occurs when the user denies consent or the client app doesn’t have permission to request specific scopes.

  • Make sure the user has provided proper consent for the required scopes.
  • Also, ensure the requested scopes are available and authorized in the App Client Settings.

External References

Want To Schedule A Demo?

Request a Demo
  



Our Other Identity & Access Management Products

Single Sign-On

Seamless login for workforce and customer identity to cloud or on-premise apps

Learn more

Multi-factor Authentication

Secure access for identities with an additional layer of authentication

Learn more

Adaptive Authentication

Block or grant user access based on IP, Device, Time & Location

Learn more

Lifecycle Management

Manage & automate user provisioning and deprovisioning to apps

Learn More