Search code examples
amazon-web-servicesamazon-cognitoamazon-connect

Amazon Cognito - Federating Users with Amazon Connect

We are attempting to use Amazon Cognito's hosted sign-in pages with the end goal of authenticating users against an Amazon Connect instance. We have a web application which uses the amazon connect streams library, and want to sign users in to Connect prior to initialisation.

The intention is to use the Cognito sign-in process to provide a set of temporary credentials which allow us to call the Connect API's getFederationToken method, and to subsequently sign the user in to Connect with the tokens this call provides.

Some details on the setup:

Connect is set up to auth using SAML.

Users on both sides have/use email addresses for usernames.

The Cognito User Pool has an app client set up. The app client has: these readable/writable attributes, these allowed flows/scopes, and the hosted sign in pages direct the user to our web app once completed, which is when we pick up the Id token.

The Cognito Identity Pool's authenticated role (which I believe is assumed post the cognito auth flow) has the appropriate trust relationship and permissions to allow it to call the connect GetFederationToken method against the connect instance. The auth provider for this pool is set to the cognito user pool.

The following piece of code (ids redacted), show what we are currently trying to do:

// Id token extracted from params
var IdToken = hashObj.id_token;

// Initialize the Amazon Cognito credentials provider
AWS.config.region = 'eu-west-2';
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
    IdentityPoolId: 'eu-west-2:00000000-0000-0000-0000-000000000000',
    Logins: {
        'cognito-idp.eu-west-2.amazonaws.com/eu-west-2_abcdefg': IdToken
    }        
});

var connect = new AWS.Connect();
var params = {
    InstanceId: '00000000-0000-0000-0000-000000000000' /* required */
};

//  Attempt to get a federation token from connect using the creds constructed above.
connect.getFederationToken(params, function (err, data) {
    if (err) {
        console.log(err);
    } // an error occurred
    else {
        console.log(data);
    }
});

The issue is this: the federation call is returning a user not found result.

Essentially it can't match the user we have gone through the Cognito auth process with to a user in Connect (I've checked the user names match more times than I can count by now).

We have tried:

  • Messing with attributes against the identity pool and the user pool.
  • Setting the RoleSessionName in the credentials object to various things.
  • Adding claims to the id token using a pre token generation lambda.

Any ideas as to what we are missing? It seems as if we are off by one small step.

Solution

  • You won't be able to set it up. This is because Cognito is an OIDC identity provider. And what AWS Connect requires is a SAML identity provider.