Search code examples
amazon-web-servicesamazon-cognitosamloktafederated-identity

How to I configure Okta as SAML IdP for AWS Cognito Identity Pool?

I want to configure Okta as a SAML IdP for an AWS Cognito Identity Pool (not a User Pool).

When creating an Identity Pool, I need to specify a SAML IdP associated with the AWS account. As part of defining an IdP, I need to provide a metadata document file:

AWS IdP definition

To get this metadata document from Okta, I need to define an application in Okta that uses SAML integration (i.e. AWS is the resource provider and Okta is the IdP):

enter image description here

This requires 2 values from AWS that I don't know how to get:

  1. Single sign on URL. Okta UI hint reads:

    The location where the SAML assertion is sent with a HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL for your application.

  2. Audience URI (SP Entity ID). Okta UI hint reads:

    The application-defined unique identifier that is the intended audience of the SAML assertion. This is most often the SP Entity ID of your application.

How/where do I get these values from AWS?

If I am trying to create an IdP for a Cognito Identity Pool and I am required to create an IdP that requires values from an Okta that requires values that refer to the Cognito Identity Pool, how do I avoid the circular reference?

Solution

  • Question 1: Single sign on URL. Okta UI hint reads:

    The location where the SAML assertion is sent with a HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL for your application.

    Answer:

    Single sign on URL: https://signin.aws.amazon.com/saml

    Question 2: Audience URI (SP Entity ID). Okta UI hint reads:

    The application-defined unique identifier that is the intended audience of the SAML assertion. This is most often the SP Entity ID of your application.

    Answer:

    Audience URI (SP Entity ID): urn:amazon:webservices

    Important Remarks:

    (1) How to build and run Shibboleth SAML IdP and SP using Docker container at GitHub repository provides Amazon AWS SAML Service Provide metadta "shibboleth-idp-dockerized/ext-conf/metadata/sp-aws-amazon-com.xml" which has been validated with a successful SSO for Amazon AWS.

    The Amazon AWS SAML Service Provide metadta provides Single sign on URL and Audience URI (SP Entity ID) required by Okta SAML IdP.

    (2) Adding SAML Identity Providers to a User Pool states that Audience URI/SP Entity ID of User Pool (NOT Identity Pool) is urn:amazon:cognito:sp:your-User-Pool-ID.

    Question 3: If I am trying to create an IdP for a Cognito Identity Pool and I am required to create an IdP that requires values from an Okta that requires values that refer to the Cognito Identity Pool, how do I avoid the circular reference?

    Answer:
    To avoid the circular reference, Amazon AWS assigns different AWS Accounts the same Single sign on URL and Audience URI (SP Entity ID) for Cognito Identity Pool, thus,

    (1) you need to create Amazon AWS SAML SP from Okta Admin GUI first,

    (2) then your can download the SAML IdP metadata of Okta which is required to create an IdP (as Okta SAML IdP) through Amazon AWS Cognito Admin GUI.

    Note that Amazon AWS uses attribute "awsRoles" (carried by SAML response) to distinguish different AWS Accounts.