How to set up Okta as SAML IDP in AWS Cognito User Pool?

Question

I will want to use Okta as SAML 2.0 based IDP, AWS Cognito as service provider, and Cognito user pool to have federated IDP configuration.

I have followed all the steps mentioned in AWS sites listed below -

• https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp.html
• https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-integrating-3rd-party-saml-providers.html
• https://aws.amazon.com/blogs/mobile/amazon-cognito-user-pools-supports-federation-with-saml

Okta does not provide any support or documentation - https://support.okta.com/help/answers?id=9062A000000QucAQAS&feedtype=SINGLE_QUESTION_DETAIL&dc=xSAML&criteria=OPENQUESTIONS& .

Please note that I have tried Okta as IDP, established trust with AWS IAM, and using Okta user logs in to my AWS account. This works fine following the detailed documentation provided by Okta. However, my need is different wherein I would like to use Okta as SAML IDP in my AWS cognito user pool.

Any detailed documentation containing configurations to be done at both ends ie AWS and Okta, will be helpful.

Answer 1

I did setup Okta with Cognito through SAML with the following:

Okta side:

• Single sign on URL will be your cognito SAML endpoint in the form of: https://<yourDomainPrefix>.auth.<region>.amazoncognito.com/saml2/idpresponse (see under your user pool, "App integration" -> "Domain name" for the first part of the URL).
• Audience URI (SP Entity ID) will be the URN of your cognito user pool: urn:amazon:cognito:sp:<yourUserPoolID> (see your user pool "General Settings" for that pool ID).
• Attribute statements, you want to add whatever attribute you set as mandatory in your pool, in my case it was email.

Cognito side - User pool:

• Federation -> Identity providers : Choose SAML and import the metadata.xml from Okta.
• get to your App client settings, under App integration and enable the newly created IDP

Cognito side - Identity pool:

• Under authentication providers, SAML tab , you'll be able to check the Okta provider checkbox as you mentioned that you already have it as a trusted provider under IAM.

That should be about it. Resources that were of help: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp.html

EDIT: It seems that clarification was required on the Audience URI/Audience Restriction Okta setting. As Julien below mentioned is in the form of urn:amazon:cognito:sp:region_randomid (ie. urn:amazon:cognito:sp:eu-west-1_SdsSdwSD3e), you don't need to add yourself the region.

Answer 2

Disclaimer: I'm not a SAML expert

We had to face the same problem here. After authentication in Okta we were redirected to the Cognito login screen. I tried to follow the advice from WenWolf with no success.

I analyzed the SAML flow using the SAML-tracer extension in Firefox. An error message was hidden in the redirect URI after the assertion POST.

GET https://XXXXX?error_description=Error+in+SAML+response+processing%3A+Audience+restriction+in+SAML+Assertion+does+now+allow+it+for+urn%3Aamazon%3Acognito%3Asp%3Aeu-west-1_YYYYYYYY+&state=e4314f8a-e321-4302-91fe-2a4657a9c582&error=server_error HTTP/1.1

Which gives you :

Error in SAML response processing: Audience restriction in SAML Assertion does now allow it for urn:amazon:cognito:sp:eu-west-1_YYYYYYYY

To fix it in Okta:

• Change the Audience Restriction field in Okta by replacing the value initially recommended in the documentation and the blog
  • urn:amazon:cognito:sp:IDFoundInAppIntegrationAppClientSettings
• by the value indicated in the error message
  • urn:amazon:cognito:sp:eu-west-1_YYYYYYYY

This ID also appear in the auto-generated group in Cognito General settings>Users and groups

PS: Keep the other advices on NameId and required attribute mapping that needs to be consistent on both side.