Thank you for your explanation😊 I managed to make it work but with Cognito + Google Account as and OIDC iDP. P.S Since the cognito UI has changed maybe from new videos if you could use the new UI that would be more easier for newcomers
This is the video ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-7r0eBNBNEZ8.html. This also uses Google dev account and OAuth. It might be same as what you did.
Hi, I got to the point where I log in and I'm redirected to jwt where I can see the access token but I don't see the users being added to the userpool. How is that achieved? Thanks.
If you are getting the access token, id token and seeing the user details in jwt.io page, it would have surely created the user profile in Cognito user pool because these tokens won't get generated without a cognito user profile. Try refreshing the users tab in cognito user pool because sometimes it doesn't auto refresh.
You can pass the identity_provider parameter to /authorize endpoint as mentioned here docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html. If this value is passed, Cognito will not display the hosted UI login page. Instead, it will redirect to that IdP. Please like, subscribe & share!! Thanks in advance.
You are welcome!! I will surely look into this custom UI sign flow and try to post a video. Are you referring to Cogntio custom login page UI? Please like, subscribe & share!! Thanks in advance.
@@securityinaction1018 yes, and not. I'm referring to integrate a OAuth federated sign in experience using Google, or any other OIDC provider, and a custom UI (e.g. a React or Vue.js custom login page) using Cognito. In your example you used the hosted UI from Cognito.
You need to make some configuration changes in Okta and pass groups scope from Cognito to Okta. Please refer this document developer.okta.com/docs/guides/customize-tokens-groups-claim/main/ Please like, subscribe & share!! Thanks in advance.
I have a user migrate lambda which during sign on adds a new user to the user pool using SAML authentication. The problem I am facing is the user which is added to the pool his username is the email using which he has logged in. But I want to map the username to some UUID like the sub attribute and don't want the username to be any user's personal data. I am able to do this with Google sign on but not with Okta SAML. Any suggestions
Please check this article support.okta.com/help/s/article/How-to-configure-a-required-SAML-Username-Attribute-when-Multiple-Okta-Username-Formats-are-being-used?language=en_US. In your case, try setting the "Application username format" to custom with a expression language of "user.getInternalProperty("id")". Refer to this article for EL developer.okta.com/docs/reference/okta-expression-language/#okta-user-profile
@securityinaction1018 Thanks for the information but the requirement I have this also is not working. And I am pretty new to AWS still learning. What I want is my JWT token created through pre-token lambda of cognito to have any Personal information of user. If my user pool contains username which is the email of the sign in users when ever the token is generated the username attribute will contain the email id. FYI I also have a google sign on and during that the username is getting mapped to sub attribute But for SAML and norrmal userid and password login its getting the username equal to the user email in cognito user pool Any pointers if you have which I can use will be helpful
You can suppress a specific claim in the JWT token using pretoken generation trigger docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html#aws-lambda-triggers-pre-token-generation-example-1. In this example, they are suppressing the email claim by passing attribute name list in "claimsToSuppress". You can try passing all the claim names that you want to remove from the JWT ID token.
You are right. I was not able to suppress that claim. Looks like it is a reserved attribute as per this document docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html.
Good question. The main purpose of this video is to demo how to add Okta as a OIDC IdP in AWS Cognito. I have posted two different videos on how to configure Authorization code grant flow using Cognito Without PKCE : ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-Ox7FuGpQrV8.html With PKCE : ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-lWVmJ1CXzMo.html