How do I set up Okta as an OpenID Connect identity provider in an Amazon Cognito user pool?

Last updated: 2021-09-21

I want to use Okta as an OpenID Connect (OIDC) identity provider (IdP) in an Amazon Cognito user pool. How do I set that up?

Short description

Amazon Cognito user pools allow sign-in through a third party (federation), including through an IdP such as Okta. For more information, see Adding user pool sign-in through a third party and Adding OIDC identity providers to a user pool.

A user pool integrated with Okta allows users in your Okta app to get user pool tokens from Amazon Cognito. For more information, see Using tokens with user pools.

Resolution

Create an Amazon Cognito user pool with an app client and domain name

  1. Create a user pool.
    Note: During creation, the standard attribute email is selected by default. For more information, see Configuring user pool attributes.
  2. Create an app client in your user pool. For more information, see Add an app to enable the hosted web UI.
  3. Add a domain name for your user pool.

Sign up for an Okta developer account

Note: If you already have an Okta developer account, sign in.

  1. On the Okta Developer signup webpage, enter your personal information, and then choose SIGN UP. The Okta Developer Team sends a verification email to the email address that you provided.
  2. In the verification email, find the sign-in information for your account. Choose ACTIVATE, sign in, and finish creating your account.

Create an Okta app

  1. Open the Okta Developer Console. For more information about the console, see Okta’s Redesigned Admin Console and Dashboard—Now in GA! on the Okta Developer Blog.
  2. In the navigation pane, expand Applications, and then choose Applications. This opens the Applications Console. For more information, see Administrator Console on the Okta Organizations page of the Okta Developer website.
  3. Choose Create App Integration.
  4. On the Create a new app integration page, choose OpenID Connect, choose Web Application, and then choose Next.

Configure settings for your Okta app

  1. On the New Web App Integration page, under General Settings, enter a name for your app. For example, TestApp.
  2. Under Grant type, confirm that the Authorization Code check box is selected. Your user pool uses this flow to communicate with Okta OIDC for federated user sign-in.
  3. For Sign-in redirect URIs, enter https://myUserPoolDomain/oauth2/idpresponse. This is where Okta sends the authentication response and ID token.
    Note: Replace myUserPoolDomain with your Amazon Cognito user pool domain. You can find the domain in the Amazon Cognito console on the Domain name page for your user pool.
  4. Under CONFIGURE OPENID CONNECT, for Login redirect URIs, enter https://myUserPoolDomain/oauth2/idpresponse. This is where Okta sends the authentication response and ID token.
    Note: Replace myUserPoolDomain with your Amazon Cognito user pool domain. Find the domain in the Amazon Cognito console on the Domain name page for your user pool.
  5. In Controlled access, choose your preferred access setting, and then choose Save.
  6. In Client Credentials, copy the Client ID and Client secret. You need these credentials for configuring Okta in your Amazon Cognito user pool.
  7. Choose Sign On.
  8. On the Sign On page, In OpenID Connect ID Token, note the Issuer URL. You need this URL for configuring Okta in your user pool.

Add an OIDC IdP in your user pool

  1. In the Amazon Cognito console, choose Manage user pools, and then choose your user pool.
  2. In the left navigation pane, under Federation, choose Identity providers.
  3. Choose OpenID Connect.
  4. Do the following:
    For Provider name, enter a name for the IdP. This name appears in the Amazon Cognito hosted web UI.
    Note: You can't change this field after creating the provider. If you plan to include this field in your app or use the Amazon Cognito hosted web UI, use a name that you're comfortable with your app's users seeing.
    For Client ID, paste the Client ID that you noted earlier from Okta.
    For Client secret (optional), paste the Client secret that you noted earlier from Okta.
    For Attributes request method, leave the setting as GET.
    For Authorize scope, enter the OIDC scope values that you want to authorize, separated by spaces. For more information, see Scope values in OpenID Connect Basic Client Implementer's Guide 1.0 on the OpenID website.
    Important: The openid scope is required for OIDC IdPs, and you can add other scopes according to your user pool configuration. For example, if you kept email as a required attribute when creating your user pool, enter email openid to include both scopes. You can map the email attribute to your user pool later in this setup.
    For Issuer, paste the Issuer URL that you copied earlier from Okta.
    For Identifiers (optional), you can optionally enter a custom string to use later in the endpoint URL in place of your OIDC IdP's name.
  5. Choose Run discovery to fetch the OIDC configuration endpoints for Okta.
  6. Choose Create provider.

For more information, see Add an OIDC IdP to your user pool.

Change app client settings for your user pool

  1. In the Amazon Cognito console, choose Manage user pools, and then choose your user pool.
  2. In the left navigation pane, under App integration, choose App client settings.
  3. On the app client page, do the following:
    Under Enabled Identity Providers, choose the OIDC provider check box for the IdP that you created earlier.
    (Optional) Choose the Cognito User Pool check box.
    For Callback URL(s), enter a URL where you want your users to be redirected after logging in. For testing, you can enter any valid URL, such as https://example.com/.
    For Sign out URL(s), enter a URL where you want your users to be redirected after logging out. For testing, you can enter any valid URL, such as https://example.com/.
    Under Allowed OAuth Flows, select the flows that correspond to the grant types that you want your application to receive after authentication from Cognito.
    Note: The allowed OAuth flows you enable determine which values (code or token) you can use for the response_type parameter in your endpoint URL.
    Under Allowed OAuth Scopes, select at least the email and openid check boxes.
  4. Choose Save changes.

For more information, see App client Settings terminology.

Map the email attribute to a user pool attribute

If you authorized the email OIDC scope value earlier, map it to a user pool attribute.

  1. In the Amazon Cognito console, choose Manage user pools, and then choose your user pool.
  2. In the left navigation pane, under Federation, choose Attribute mapping.
  3. On the attribute mapping page, choose the OIDC tab.
  4. If you have more than one OIDC provider in your user pool, choose your new provider from the dropdown list.
  5. Confirm that the OIDC attribute sub is mapped to the user pool attribute Username.
  6. Choose Add OIDC attribute, and then do the following:
    For OIDC attribute, enter email.
    For User pool attribute, choose Email.

For more information, see Specifying identity provider attribute mappings for your user pool.

Log in to test your setup

Authenticate with Okta using the Amazon Cognito hosted web UI. After you log in successfully, you're redirected to your app client's callback URL. The authorization code or user pool tokens appear in the URL in your web browser's address bar.

For more information, see Using the Amazon Cognito Hosted UI for sign-up and sign-in.