Amazon Cognito - AWS | OIDC

Owned by Ole Kristian Aune (Unlicensed)
Last updated: Dec 21, 2023 by Mari Fuglem
4 min read

1. Display name

Choose a name for your identity provider. This is the user-facing name, so choose a name your users will recognize. This value can be changed later.

2. Redirect Mode

Select how the user will be redirected to the identity provider. You may configure more redirect modes after completing the setup.

3. Prepare IDP

In this step, we will configure Amazon Cognito to work with Kantega SSO. For this, you will need to copy the Callback URL provided. We will use this when setting up Amazon Cognito.

 

Configure Amazon Cognito

external

If you are using SCIM with your provider, make sure to check out the documentation for configuring this before proceeding. It might be that you need to configure this first or at the same time as setting up OIDC.

Sign in to the AWS Management Console, navigate to Cognito > Manage User Pools and select the pool you wish to configure. If you do not have one, follow the Amazon tutorial on creating a user pool.

If you wish to use Just-In-Time provisioning, you must select both email and name as required attributes upon creation of the user pool. You can not change attribute options for a pool after it has been created.

Save the Pool Id. We will need this value later. Create an App Client by going to App Clients > Add another app client

(Select the App integration tab. Under App clients, select Create an app client.

Give your app client a name, leave the rest as-is and click Create app client. Click to show more details on your new app client and copy the App client id and the App client secret. We need these values when returning to the setup of Kantega SSO.

Navigate to App client settings, find your app client and change the following:

  • Under Enabled Identity Providers, select relevant identity providers. In our example, we select all providers.

  • In the Callback URL(s) field, enter the callback URL value that you copied from the prepare step in the Kantega SSO wizard.

  • Under Allowed OAuth Flows, check Authorization code grant.

  • Under Allowed OAuth Scopes, check email, openid, and profile.

Save changes.

Go back to the Kantega SSO wizard.

4. Metadata

In the Metadata step, replace the {region} and {userPoolId} placeholders in the Discovery URL with the Pool Id saved from AWS Cognito in the previous step. {region} is the first part of the Pool Id value.

5. Scopes

These are the scopes we were able to fetch from the metadata. You can add scope values from a list, start typing to add your own or unselect them. A minimum of one scope value is required.

 

6. Credentials

In this step, you need to insert the App client id and the App client secret we saved earlier (in step 2).

7. Summary

Check that everything looks good and submit your setup

 

Test

Test that logging in with Amazon Cognito works as expected. This will help identify if there are any issues with the configuration. Follow the steps to perform the login test.