简体繁体 English

是否有可能在 SAML 响应进入认知之前拦截它？

[英]Is it possible to intercept SAML response before it gets to cognito?

原文 2021-07-26 08:31:31 5 1 amazon-web-services/ amazon-cognito/ saml

How it works with Cognito is that you map groups with SAML response, but the problem arrives while mapping groups with SAML response for the user that is in many groups because of which then custom attributes exceed 2048 characters limit.它与 Cognito 的工作方式是，您使用 SAML 响应对 map 组进行分组，但是在为许多组中的用户映射具有 SAML 响应的组时，问题就出现了，因为自定义属性超过了 2048 个字符的限制。

I would like to pick up groups from SAML response, pick only necessary for an application use case, and then forward it to Cognito where jwt is generated.我想从 SAML 响应中选择组，只选择应用程序用例所必需的，然后将其转发到生成 jwt 的 Cognito。

In the AWS documentation it's recommended to filter the mapped groups:在 AWS 文档中，建议过滤映射组：

Recommended: Filter the mapped groups to only those that are relevant to the application (for example, by a prefix filter).建议：将映射组过滤为仅与应用程序相关的组（例如，通过前缀过滤器）。 There is a 2,048-character limit on the custom attribute, so filtering avoids exceeding the character limit and also avoids passing irrelevant information to the application.自定义属性有 2,048 个字符的限制，因此过滤可以避免超过字符限制，也可以避免将不相关的信息传递给应用程序。

So, the question is how can I filter the mapped groups programmatically before they get to the Cognito?所以，问题是如何在映射组到达 Cognito 之前以编程方式过滤它们？

1 个解决方案

As you are working with a SAML response, Im assuming that you are trying to integrate with ADFS or Azure AD.当您使用 SAML 响应时，我假设您正在尝试与 ADFS 或 Azure AD 集成。 We managed to resolve the same issue in both by applying a filter (prefix filter) before adding the claims to the SAML response on the AD end.在将声明添加到 AD 端的 SAML 响应之前，我们通过应用过滤器（前缀过滤器）设法解决了两者中的相同问题。

AWS Cognito 多个 SAML 提供商 - AWS Cognito Multiple SAML Providers

SAML IdP - AWS Cognito/IAM 作为身份提供商 - SAML IdP - AWS Cognito/IAM as an Identity Provider

AWS：Amazon Cognito 与 STS 和 SAML - AWS: Amazon Cognito vs STS and SAML

是否有可能在 lambda function 被杀死并开始冷启动之前拦截终止信号以关闭数据库连接？ - Is it possible to intercept kill signals to close DB connections right before a lambda function is killed and started cold?

具有外部 IDP (SAML) 的 AWS Cognito 用于注册后/登录操作 - AWS Cognito with external IDP (SAML) for Post-Signup/Signin Actions

可以将 AWS Cognito 与 Node 一起使用吗？ - Is possible use AWS Cognito with Node?

使用 SAML 响应令牌验证保管箱 - Authenticating dropbox using SAML response token

可以通过 API 对 AWS Cognito 用户进行身份验证吗？ - Possible to authenticate an AWS Cognito user via the API?

如何诊断 AWS Cognito 的 SAML 断言处理错误的原因？ - How can I diagnose the cause of AWS Cognito's SAML assertion processing errors?

具有 Azure AD SAML 集成的 Cognito 授权返回 id_token 和 access_token 但没有刷新令牌 - Cognito Authorization with Azure AD SAML integration returns id_token and access_token but no refresh token

暂无

暂无

声明:本站的技术帖子网页，遵循CC BY-SA 4.0协议，如果您需要转载，请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 AWS Cognito 多个 SAML 提供商 - AWS Cognito Multiple SAML Providers SAML IdP - AWS Cognito/IAM 作为身份提供商 - SAML IdP - AWS Cognito/IAM as an Identity Provider AWS：Amazon Cognito 与 STS 和 SAML - AWS: Amazon Cognito vs STS and SAML 是否有可能在 lambda function 被杀死并开始冷启动之前拦截终止信号以关闭数据库连接？ - Is it possible to intercept kill signals to close DB connections right before a lambda function is killed and started cold? 具有外部 IDP (SAML) 的 AWS Cognito 用于注册后/登录操作 - AWS Cognito with external IDP (SAML) for Post-Signup/Signin Actions 可以将 AWS Cognito 与 Node 一起使用吗？ - Is possible use AWS Cognito with Node? 使用 SAML 响应令牌验证保管箱 - Authenticating dropbox using SAML response token 可以通过 API 对 AWS Cognito 用户进行身份验证吗？ - Possible to authenticate an AWS Cognito user via the API? 如何诊断 AWS Cognito 的 SAML 断言处理错误的原因？ - How can I diagnose the cause of AWS Cognito's SAML assertion processing errors? 具有 Azure AD SAML 集成的 Cognito 授权返回 id_token 和 access_token 但没有刷新令牌 - Cognito Authorization with Azure AD SAML integration returns id_token and access_token but no refresh token

相关标签

粤ICP备18138465号 © 2020-2024 STACKOOM.COM