AMAZING explanation! Showing first the overview and then going through each single step required with actual testing to see how it works. I need to do this kind of integration and this video is just gold to me. Thank you!
This was an excellent one-stop-shop for setting this up. I'd previously been trying to pull together many disparate pieces of documentation, blog posts and articles to get this to work but this video took care of it all in one go. The only thing I'm stuck on now is how to use the idToken that Cognito returns after the federated login in a call to an API Gateway endpoint. This works without the federated login but there's something about the token that API Gateway doesn't like.
Glad it was helpful! What authorizer is configured in API GW? Do you see any difference between the ID token generated from federated login vs non-federated login? I think identities array might be different. But, all the other claims should be similar. Please subscribe, like & share to support this channel. Thanks in advance.
Excellent Excellent Excellent.....made it look very easy. Sir can you post a video explaining ADFS integration with AWS/Azure? Use case: I have AD server on-prem and I want to integrate to AWS or Azure, so that I should use the AD users to login to both Azure and AWS portals.
I have not tried this. I think the best option is to integrate AzureAD with the AD and then do a SAML / OIDC federation with AWS / AZure. Or other option is to use ADFS + AD and do a SAML federation.
Thanks for the video, it was really clarifying. What does need to change if I want that any user with a Microsoft account may be able to login? Right now I'm stucked with this error: AADSTS50020: ... The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Thank you. I have not tried that. This documentation might help learn.microsoft.com/en-us/entra/identity-platform/supported-accounts-validation Please like, subscribe & share!! Thanks in advance.
@@securityinaction1018 Thanks for this reference. I was kind of discovering that it wouldn't support some signInAudience with Cognito, but this reference just says it explicitly. So this integration only works for organizations, and not for personal emails.
I have not tried it. But, please check if you can enable "personal emails" option when AzureAD is added as a OIDC provider in Cognito. You can refer this video for the steps ruclips.net/video/3ImxqC60SWw/видео.html on how to add AzureAD as OIDC provider
Unfortunately, it won't work because Cognito supports only POST binding for SAML logout requests and AzureAD supports only redirect binding (HTTP GET) for SAML logout endpoint
Hi.. its great to know about SAML tracer. I have requirement to add aws cognito saml authentication on custom ui. Not getting enough idea over internet. I am able to login via hosted ui. But i need to add same on custom ui. Any help would be appreciated.
Hi Shweta, Hosted UI is required for any external SAML identity provider to work in Cognito because SAML federation happens in browser. From custom UI, you can add a button which will initiate the SAML federation with AzureAD. What you can do is, when a user clicks this button, it should initiate authorization code grant flow with Cognito. In the authorize endpoint, pass the the identity_provider and idp_identifier parameter to bypass the hosted UI login page and redirect to AzureAD. In this way, users won't even realize hosted UI exists. Refer docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html where it talks about these parameters
I have not tried the single logout option. But, Cognito supports SLO based on this documentation docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managing-saml-idp-console.html. Please note that AzureAD should also SLO for this to work.
Thanks for making this video. It offered great conceptual clarity with excellent explanation. I have one question though. If I create an user in the Cognito user pool directly (with a default password) and then I try to login using idp rather than the password, then I am getting an error in SAML response. "Invalid SAML response received: User already exists with provider user id" Is there any way to deal with this?
@@securityinaction1018 yes, once I created the user with different username, it created 2 different users with same email. One that I created on Cognito and one that got auto created. I am trying to use AdminLinkProviderForUser with pre-signup lambda with prevent creation of duplicate user now.
The usecase is to create users who have not signed up on the application yet. The users can be assigned some tasks. When the user signs in using SSO, it should get linked to the same user so that they can find their tasks.
Got it. So, you want to pre-provision the users, assign some tasks so that they can view it after they SSO using their IdP. Whatever approach you are taking is the right one.
Please use the SAML tracer to verify if SAML assertion is posted back to Cognito. Also, check if any error message is displayed in the browser URL as a request parameter.
@@securityinaction1018 I'd recommend googling "how to add timestamps to youtube video" and it'll teach you how. Thanks for the video again! Helped a lot.
hi there, what about the logout? does cognito provides log out from SAML provider, in this case Azure AD? or may Okta? I use aws amplify, and after the logout, the users still remails logged in IdP
As per this doc learn.microsoft.com/en-us/entra/identity-platform/single-sign-out-saml-protocol, AzureAD SAML logout supports only redirect binding (HTTP GET), and not HTTP POST binding. Cognito uses POST binding for SAML logout and that is the reason why IdP session is not logged out. I have not tested Okta. If Okta supports HTTP POST binding for SAML logout, it should work. Please like, subscribe & share!! Thanks in advance.
@@securityinaction1018 I have tested with BOTH, indeed, cognito does not work with GET, Okta sends POST, but then okta session is still persisted, whereas AzureAD session is terminated, even though cognito returns with an error after the GET request, what a pitty
Please subscribe to this channel for regular updates ruclips.net/channel/UCEEayyyCrJO94FYlzF0NLTg
Thank You for the support.
AMAZING explanation! Showing first the overview and then going through each single step required with actual testing to see how it works. I need to do this kind of integration and this video is just gold to me. Thank you!
Thank you. Glad it was helpful!
Please like, subscribe & share this video / channel !! Thanks in advance.
Phenomenal explanation. The flow you provided made a very murky concept crystal clear. Thank you.
Glad it was helpful!
This was an excellent one-stop-shop for setting this up. I'd previously been trying to pull together many disparate pieces of documentation, blog posts and articles to get this to work but this video took care of it all in one go.
The only thing I'm stuck on now is how to use the idToken that Cognito returns after the federated login in a call to an API Gateway endpoint. This works without the federated login but there's something about the token that API Gateway doesn't like.
Glad it was helpful!
What authorizer is configured in API GW? Do you see any difference between the ID token generated from federated login vs non-federated login? I think identities array might be different. But, all the other claims should be similar.
Please subscribe, like & share to support this channel. Thanks in advance.
really nice and insightful videos , kindly continue same method of explaining going ahead
Thank you
A great video! I learned a lot from it and thank you very much for your time and efforts. I have subscribed.
Thanks for subscribing!
Thanks for sharing. It works practically .. :)
You're welcome!
It was very helpful. Thanks
Glad it was helpful.
Excellent Excellent Excellent.....made it look very easy. Sir can you post a video explaining ADFS integration with AWS/Azure? Use case: I have AD server on-prem and I want to integrate to AWS or Azure, so that I should use the AD users to login to both Azure and AWS portals.
I have not tried this. I think the best option is to integrate AzureAD with the AD and then do a SAML / OIDC federation with AWS / AZure. Or other option is to use ADFS + AD and do a SAML federation.
Thank you for the explanation.
Hey, great video!, do you have a video to understand azure active directory and saml basics from scratch?
Thank you. I am planning to post SAML basics video in future.
Thanks for the video, it was really clarifying.
What does need to change if I want that any user with a Microsoft account may be able to login?
Right now I'm stucked with this error:
AADSTS50020: ... The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Thank you. I have not tried that. This documentation might help learn.microsoft.com/en-us/entra/identity-platform/supported-accounts-validation
Please like, subscribe & share!! Thanks in advance.
@@securityinaction1018 Thanks for this reference. I was kind of discovering that it wouldn't support some signInAudience with Cognito, but this reference just says it explicitly. So this integration only works for organizations, and not for personal emails.
I have not tried it. But, please check if you can enable "personal emails" option when AzureAD is added as a OIDC provider in Cognito. You can refer this video for the steps ruclips.net/video/3ImxqC60SWw/видео.html on how to add AzureAD as OIDC provider
please make a video for logout of azure ad when using cognito hosted ui
Unfortunately, it won't work because Cognito supports only POST binding for SAML logout requests and AzureAD supports only redirect binding (HTTP GET) for SAML logout endpoint
Hi.. its great to know about SAML tracer. I have requirement to add aws cognito saml authentication on custom ui. Not getting enough idea over internet.
I am able to login via hosted ui. But i need to add same on custom ui.
Any help would be appreciated.
Hi Shweta,
Hosted UI is required for any external SAML identity provider to work in Cognito because SAML federation happens in browser. From custom UI, you can add a button which will initiate the SAML federation with AzureAD. What you can do is, when a user clicks this button, it should initiate authorization code grant flow with Cognito. In the authorize endpoint, pass the the identity_provider and idp_identifier parameter to bypass the hosted UI login page and redirect to AzureAD. In this way, users won't even realize hosted UI exists.
Refer docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html where it talks about these parameters
Thank you for this video and your help. excuse me, in my project I cant logout the session, can you help me
I have not tried the single logout option. But, Cognito supports SLO based on this documentation docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managing-saml-idp-console.html. Please note that AzureAD should also SLO for this to work.
Thanks for making this video. It offered great conceptual clarity with excellent explanation.
I have one question though. If I create an user in the Cognito user pool directly (with a default password) and then I try to login using idp rather than the password, then I am getting an error in SAML response.
"Invalid SAML response received: User already exists with provider user id"
Is there any way to deal with this?
You shouldn't get that error. Are you creating a user with the same username as the IdP user in the user pool?
@@securityinaction1018 yes, once I created the user with different username, it created 2 different users with same email. One that I created on Cognito and one that got auto created. I am trying to use AdminLinkProviderForUser with pre-signup lambda with prevent creation of duplicate user now.
Yes, you can link both the users. What is the use case? Do you want to pre-provision the users in user pool before they login using IdP?
The usecase is to create users who have not signed up on the application yet. The users can be assigned some tasks. When the user signs in using SSO, it should get linked to the same user so that they can find their tasks.
Got it. So, you want to pre-provision the users, assign some tasks so that they can view it after they SSO using their IdP. Whatever approach you are taking is the right one.
Very nice video. For some reason i'm getting 500 when i'm getting the SAML response :(
Please use the SAML tracer to verify if SAML assertion is posted back to Cognito. Also, check if any error message is displayed in the browser URL as a request parameter.
@@securityinaction1018 checked that. It's just plain and simple 500
Ok, then most probably some issue in AzureAD configuration. Please check the steps again in the video to make sure all the configurations are correct.
Thanks man
Could you please add time stamps to this video?
Sorry, I am not aware of that. If you can share any websites on how it needs to be done, I will surely take a look.
@@securityinaction1018 I'd recommend googling "how to add timestamps to youtube video" and it'll teach you how. Thanks for the video again! Helped a lot.
Glad it helped. Sure, will check it out.
Please like, subscribe & share this video / channel !! Thanks in advance.
hi there, what about the logout? does cognito provides log out from SAML provider, in this case Azure AD? or may Okta? I use aws amplify, and after the logout, the users still remails logged in IdP
As per this doc learn.microsoft.com/en-us/entra/identity-platform/single-sign-out-saml-protocol, AzureAD SAML logout supports only redirect binding (HTTP GET), and not HTTP POST binding. Cognito uses POST binding for SAML logout and that is the reason why IdP session is not logged out. I have not tested Okta. If Okta supports HTTP POST binding for SAML logout, it should work.
Please like, subscribe & share!! Thanks in advance.
@@securityinaction1018 I have tested with BOTH, indeed, cognito does not work with GET, Okta sends POST, but then okta session is still persisted, whereas AzureAD session is terminated, even though cognito returns with an error after the GET request, what a pitty
That's not good. Is Okta sending a successful response for SAML logout request from Cognito?