Configure AWS Cognito as OAuth IDP for SSO

miniOrange Identity Broker service solution enables cross protocol authentication. You can configure AWS Cognito as an IDP for Single Sign-On (SSO) into your applications/websites. Here, AWS Cognito will act as an Identity Provider (IDP) and miniOrange will act as a broker.

We offer a pre-built solution for integrating with AWS Cognito, making it easier and quick to implement. Our team can also help you set up AWS Cognito as OIDC IDP to login into your applications.

Get Free Installation Help

miniOrange offers free help through a consultation call with our System Engineers to configure SSO for different apps using AWS Cognito as IDP in your environment with 30-day free trial.

For this, you need to just send us an email at idpsupport@xecurify.com to book a slot and we'll help you in no time.

Prerequisites

Please make sure your organisation branding is already set under Customization >> Login and Registration Branding in the left menu of the dashboard.

Follow the Step-by-Step Guide given below for AWS Cognito Single Sign-On (SSO)

1. Configure miniOrange as Service Provider in AWS Cognito

Note: If you would like to customize the AWS login page kindly choose AWS as the Userstore. For the default AWS login page, you can go with AWS as IdP configurations.

Configure miniOrange as SP in AWS Cognito
Configure miniOrange as Userstore in AWS Cognito

1.1 Configuring miniOrange as Service Provider (SP) in AWS Cognito

AWS Cognito Single Sign On (SSO) : Login to Amazon Console

Search for Cognito in the AWS Services search bar as shown below.

Search for Cognito in AWS Services to configure SSO

Click on Create user pool button to create a new user pool.

AWS Cognito OAuth/OpenID Single Sign On (SSO) : Click Create user pool

Choose the attributes in your Cognito user pool to be used during the sign-in process.

AWS Cognito OAuth/OpenID Single Sign On (SSO) : Choose attribute in Cognito user pool

Set up a strong password to configure your security requirements. Go ahead with the ‘No MFA’ option if you want users to only sign in with a single authentication factor. If you wish to enable MFA (Multi-factor authentication) it will require SMS messages which are charged separately by Amazon SNS. Learn more about that here. Click Next.

AWS Cognito OAuth/OpenID Single Sign On (SSO) : Go head with No MFA

AWS Cognito OAuth/OpenID Single Sign On (SSO)

Configure attributes that would be required during the user sign-up flow.

AWS Cognito OAuth/OpenID Single Sign On (SSO) : Configure Attribute

Choose additional attributes if you wish to. Click Next.

AWS Cognito OAuth/OpenID Single Sign On (SSO) : Click Next

Configure how your user pool sends email messages to users.

AWS Cognito OAuth/OpenID Single Sign On (SSO) : Choose Send and Email message

Enter a name for your user pool, Also Under Hosted authentication pages, check ‘Use the Cognito Hosted UI’.

AWS Cognito OAuth/OpenID Single Sign On (SSO) : Enter a name of your user pool

Now, Under the Domain section choose the domain type as ‘Use a Cognito domain’. Enter a domain name for your Cognito app.

AWS Cognito OAuth/OpenID Single Sign On (SSO) : Enter a Domain name

Under the Initial app client section, Enter a name for your app client and check on Generate a client secret.

AWS Cognito OAuth/OpenID Single Sign On (SSO) : Enter name of your App client

Now, go to miniOrange Admin Console.
From the left navigation bar select Identity Providers and Click on Add Identity Provider button.

AWS Cognito OAuth/OpenID Single Sign On (SSO) : Go to Identity Providers

Select OAuth 2.0 and copy the OAuth Callback URL, which will be needed in the next steps.

AWS Cognito OAuth/OpenID Single Sign On (SSO) : Select OAuth 2.0

Now enter your OAuth Callback URL which you will get from your miniOrange plugin present on your Client side and paste it under the Allowed callback URLs text-field. Also refer the following image for choosing the authentication flows for your app.

Now, Under Advanced app client settings, select Identity provider as Cognito user pool & Select Authorization code grant under the OAuth 2.0 grant types and also select openid,email and profile checkboxes under the OpenID Connect scopes section (Please refer to the image below).
Click on the Next button to save your configurations.

Now, Review your selection of requirements. Click Create user pool to confirm the selection and create a user pool.

After successfully creating your user pool, Select your pool name from the list of pools to start with user creation.

Go to the Users tab, and click Create user.

Enter details such as username, email address & password. Click on Create user to save the details.

You have Successfully complete AWS Cognito side configuration.

1.1 Configuring miniOrange as Userstore in AWS Cognito

A] Steps to Configure User Pool

Sign in to AWS Amazon.
Now enter “Cognito” in search text box & select Cognito from dropdown.

Go to “Manage your user pools”.

OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Manage user pools

Click on “Create a user pool”.

OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Create a user pool

Add pool name and select “Review Defaults”.

OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Review Defaults

Click on Edit icon as shown in the below image.

Now, Enable the Email Address and Phone Number option and click on Next step button.

OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO configure email address and phone number

OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Add app client

Click on “Add app client” & then click on Add an app client.

Enter App client name & Disable Generate Client Secret option. Enable the Username Password based authentication option,then Click on “Create app client”.

OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Create app client

Click on Return to Pool Details to come back to your configuration.

OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login return to aws pool

Click on Create Pool button to save your settings and create a user pool.

OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Create a AWS user pool

In the navigation bar present on the left side, click on the App Client Settings option under the App Integration menu.

OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login go to app client settings

Go to the Cognito dashboard and select “Cognito User Pool”, add callback URL which you have copied from Pre-requisite.
Add application home page URL has to Sign out URL.
Also, select Authorization code grant as “Allowed OAuth Flows” & select email, OpenID, Profile as “Allowed OAuth Scopes”.
After selecting all details click on Save changes button.

OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Save changes

Go to “App client” and click on “Show details” to get a client ID. (Keep client ID handy as you will need it later.)

OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login get client ID details

Go to domain name and enter a domain name for your app. After adding domain name you can check its availability by clicking on “Check availability” button. After entering valid domain name click "Save changes” button.

OAuth/OpenID/OIDC Single Sign-On (SSO) - AWS cognito SSO Login domain name

Complete domain name: The complete domain name that you need to enter in miniOrange dashboard is {your domain name}.auth.{region name}.amazoncognito.com
Add Users / Groups to Cognito App : Go to Users and groups and then click on Users. After this click on Create user.

OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Add Users / Groups

Fill all required information's and click on Create user.

OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Create user

Click on Groups and then click on Create group.

OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Groups

Fill all required information's and click on Create group.

OAuth/OpenID/OIDC Single Sign On (SSO), AWS cognito SSO Login Create group

B] Steps to Configure Identity Pool

Go to Federated Identities and click on Create new Identity pool button.

AWS cognito SSO Login : Select Identity Pool

Enter Identity pool name and enable Unauthenticated identities and Authentication flow settings, then click on Create pool button.

AWS cognito SSO Login : Create new user Pool

Click on Allow button and you will get the Identity Pool Id.

AWS cognito OAuth SSO : Get Cognito Identity Pool ID

2. Configure AWS Cognito as Userstore OR IDP in miniOrange

Configure AWS Cognito as IDP in miniOrange
Configure AWS Cognito as Userstore in miniOrange

Go to miniOrange Admin Console.
From the left navigation bar select Identity Providers >> Add Identity Provider. Select OAuth 2.0.

AWS Cognito SSO : Select Identity Providers

Navigate to the App Integration section in AWS Amazon and copy the full domain name in this format: {your domain name}.auth.{region name}.amazoncognito.com for later use.

Still in the App Integration tab, scroll down to the App clients and analytics section and click on your App client name to see the Client ID and Client Secret.

AWS Cognito OAuth/OpenID Single Sign On (SSO) : In App Integration sroll to App clients and analytics

AWS Cognito OAuth/OpenID Single Sign On (SSO) : Copy Client ID and Client secret

In the miniOrange Admin Console, enter the values as required.

IdP Name	Custom Provider
IdP Display Name	Choose appropriate Name
OAuth Authorize Endpoint	https://{cognito-app-domain}/oauth2/authorize
OAuth Access Token Endpoint	https://{cognito-app-domain}/oauth2/token
OAuth Get User Info Endpoint (optional)	https://{cognito-app-domain}/oauth2/userInfo
Client ID	From above step
Client secret	From above step
Scope	openid email phone profile

AWS Cognito OAuth/OpenID Single Sign On (SSO) : Enter AWS Cognito IDP details

Go to miniOrange Admin Console.
From the left navigation bar select External Directories and Click on Add Directory button.

AWS Cognito OAuth/OpenID Single Sign On (SSO) : Go to External Directories and click Add Directory

Select AWS Cognito.

AWS Cognito OAuth/OpenID Single Sign On (SSO) : Select AWS Cognito Directories

Enter the following values.

AWS Cognito Identifier	Provider Name
AWS Cognito Region	Get Cognito region from user pool(eg.us-east-2)
Identity Pool ID	From step 1.2
User Pool ID	From step 1.1
Client ID	From step 1.1

AWS Cognito OAuth/OpenID Single Sign On (SSO) : Enter the AWS Userstore values

Now you can click on Save.

3. Test Connection

Visit your Login Page URL.
Go to Identity Providers tab.
Click on Select >> Test Connection option against the Identity Provider (IDP) you configured.

On entering valid AWS Cognito credentials (credentials of user assigned to app created in AWS Cognito), you will see a pop-up window which is shown in the below screen.

Hence your configuration of AWS Cognito as IDP in miniOrange is successfully completed.

Note:

You can follow this guide, if you want to configure SAML/WS-FED, OAuth/OIDC, JWT, Radius etc

Configure Attribute Mapping

Go to Identity Providers >> View Identity Providers >> Your configured AWS Cognito as IdP.
Now click on Select and then Configure Attribute Mapping of your application.

Under Attribute Type - EXTERNAL for the external attributes that need to be transformed and sent to applications or service providers.
Click on the + Add Attribute button to add the attribute fields.

AWS Cognito Single Sign-On SSO Map External Attribute

Check attributes in test connection window from last step. Enter the attribute names (any name) that you want to send to your application under Attribute Name sent to SP.
Enter the value of attributes that are coming from IdP into the Attribute Name from IdP field on the Xecurify side.

Setup Multiple IDPs (Optional)

You can configure multiple IDPs (Identity Providers) and give users the option to select the IDP of their choice to authenticate with.
For Example - It could be multiple AD domains belonging to different departments or multiple okta organizations.

Few usecases where customers configure multiple IDPs -

Suppose you have a product which many of your clients use and each client has their own unique IDP so you want them to SSO into your product as well using their existing IDP only. miniOrange provides a centralized way to connect with all IDPs in a very easy manner and integrate SSO into your application.
Suppose you are providing a course to many universities, each having a unique SAML, OAuth protocol supported IDP's like Shibboleth, ADFS, CAS, etc. You can provide Single Sign-On (SSO) into your course application to all these universities by integrating with all of them using a single platform provided by miniOrange.
This is the endpoint to call from your SAML application -

For Cloud IDP -	https://login.xecurify.com/moas/discovery?customerId=<customer_id>
For On-Premise IDP -	https://yourdomain.com/discovery?customerId=<customer_id>

You should copy the Customer Key from admin console-> Settings -> and replace it with <customer_id> here. Once configured in SP, when you initiate the login from Service Provider, a user will be redirected to IDP Selection Page listing all IDPs configured for that account.

You can see the screenshot below of the IDP Selection Page with a list of IDPs.

Note: To view the IDP in drop-down list, go to Identity Providers tab > against your configured IDP > Select >Edit , here Enable the Show IdP to Users option.

Select your IDP (Identity Provider) to login

You also have the option to modify the appearance and design of this page. Login to miniOrange Admin console. Navigate to Customization -> Branding Configuration. See the below screenshot for reference-

You can customize the title of this page.
Change the logo and favicon for this page.
Change the background and button color for this page from admin UI.

Troubleshooting

You receive these error message when you try to SSO in to an application that has been set up to use AWS Cognito as External IdP using OAuth based Single Sign-On (SSO).

Error - Invalid redirect_uri

This error occurs when the redirect URI specified in the authentication request doesn’t match the one registered in Cognito.

Verify that the correct redirect URI is configured under App Client Settings in the AWS Cognito console.
Ensure the redirect URL in your OAuth client matches exactly with the one in Cognito, including case sensitivity.

Error - invalid_client

This error typically arises when the Client ID or Client Secret in the OAuth request is incorrect.

Double-check the Client ID and Secret values in the App Clients section of your Cognito user pool and ensure they are used correctly in your application's OAuth requests.

Error - Missing required scopes

If your OAuth request lacks necessary scopes (e.g., 'openid', 'email', or 'profile'), AWS Cognito will throw this error.

Go to App Client Settings in the Cognito user pool and ensure the relevant Auth scopes are enabled.
Also, confirm the scopes are included in your OAuth authorization request.

Error - invalid_grant

This error often occurs if there is an issue with the authorization code or refresh token used to get tokens.

It can happen if the authorization code has expired or has already been used.
Ensure your authorization codes are being used correctly and have not expired. Additionally, check if the refresh token has expired.

Error - unauthorized_client

This means the OAuth client (application) is not allowed to use the specific flow (e.g., authorization code, implicit, or client credentials).

Go to App Client Settings in the AWS Cognito console and confirm that the correct grant types are enabled, such as Authorization code grant, Implicit grant, etc., depending on your application’s flow.

Error - access_denied

This occurs when the user denies consent or the client app doesn’t have permission to request specific scopes.

Make sure the user has provided proper consent for the required scopes.
Also, ensure the requested scopes are available and authorized in the App Client Settings.

Contents