You absolute hero, I had an issue with my mappings that the AWS documentation had incorrectly told me to follow. Your advice has fixed this for me, brilliant video well done and thank you!
I have an use case where we want to use Cognito with OKTA using SAML. Since our application needs to have ROLES/SCOPES where we control who can access what, is it possible to configure this in Okta (something like roles/permissions/custom attributes?) and they are passed to Cognito and be as part of the token? Great video! Keep up the good work!
I am sure there should be some way to pass the Okta roles in a SAML attribute and then map that to a custom Cognito userpool attribute. This custom attribute can be added in the Cognito's ID token.
@@securityinaction1018 I managed to do that just now, added "groups" attribute and included all the groups the user belongs to, and after that i am mapping it to custom Cognito User Pool attribute and that appears in the ID token. Is it possible for somehow to appear in the access token? Because i will have to use ID tokens to do my Authentication/Authorization, which "apparently" is not a good practice based on some people on the internet
@@AleksandarT10 Can you provide me the steps on how we can show okta groups in ID token. I'm not able to see it in the ID token. I have created a group in okta and assigned the user as well. In cognito I created the custom user attribute custom:appgroups and mapped it to okta group name admingroup. But still the group is not showing up
I refreshed as Users have not got created, reaching out to you for your guidance. One more point, it created a group with UserPool Id_Okta Domain name without any user. @@securityinaction1018
That's surprising. Are you getting an ID token ? If so, a user profile should be present. But, I am not sure why it is not showing up even after refreshing. May be you can try opening the console in different browsers or incognito window.
After redirecting with JWT token How can I decrypt the token in Javascript. Which npm package should be use and for decryption from where I can get the keys??
Hi Dipak, refer this documentation for more details docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html#amazon-cognito-user-pools-using-tokens-aws-jwt-verify. It has all the details that you asked.
@@securityinaction1018 As per video we don't set federation by clicking seperate link 'Federated Identities' in aws cognito service. Now I'm using 'aws-amplify' package where 'federatedSignIn' method required identity_id e.g. eu-north-1:8e2f0d8e-3014-41da-977b-7c7e28fba44a . How can I provide this ID by creating new federation it shows error 'unknown federation id'
I have not used amplify library. If you can point out to the exact documentation, I can take a look and let you know. Also, can you explain the requirement? Do you want to bypass the Cognito login page and redirect to the external IdP login page?
Hi , This is very informative video , could you help me with add keycloak as SAML Identity Provider in aws cognito if you have any reference or setup guide.
If I understand the question correctly, you want to authenticate both okta and cognito pool users using the same login form. If so, that is not possible because Okta profiles are stored within Okta user data store and similarly, Cognito users in Cognito's user data store. Federation is the best way to handle this.
Cognito groups are already available in Access Token in "cognito:groups" claim. Refer this documentation for more details docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-access-token.html
Refer support.okta.com/help/s/article/How-to-pass-a-user-s-group-membership-in-a-SAML-Assertion-from-Okta?language=en_US. I have not tried this. You can map the Okta SAML attribute that has group details to a custom attribute in Cognito user profile. This custom attribute will get added as a claim in the ID token, but not access token.