SAML IdP - AWS Cognito/IAM 作为身份提供商

Question

I know services such as Auth0 can act as both SAML IdPs and integrate with third party IdPs. It would seem that Cognito can only integrate with other third party IdPs as a service provider, it can actually perform the role of an IdP.

The use case is we have our apps creating users in Cognito. We'd like to use a third party application which can integrate with a SAML IdP to support SSO. Is this possible with Cognito or would we need to use something like Auth0?

Answer 1

Currenlty, Cognito is an OIDC IdP and not a SAML IdP. If an application supports OIDC, you can use Cognito to connect to that.

We have recently released in public beta a new feature that allows you to federated identity from another SAML IdP. Here's the blog entry https://aws.amazon.com/blogs/mobile/amazon-cognito-user-pools-supports-federation-with-saml/

We will consider your request for future releases.

Answer 2

A Cognito user pool by itself is not an SAML provider yet. But if you would like to use a Cognito user pool, and also use it as a SAML provider, you'll have to allow users to sign in through a real external SAML federated identity provider, such as AWS SSO, by integrating Cognito user pool with the external SAML IdP:

And your app should not directly add a user to the Cognito user pool, but you will need to add users to your external SAML IdP, such as AWS SSO. During the sign-in process, Cognito will automatically add the external user to your user pool.

(See https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp-authentication.html )