I want to use Okta as a Security Assertion Markup Language 2.0 (SAML 2.0) identity provider (IdP) with an Amazon Cognito user pool. How do I set that up?

Amazon Cognito user pools allow sign-in through a third party (federation), including through a SAML IdP such as Okta. For more information, see Adding User Pool Sign-in Through a Third Party and Adding SAML Identity Providers to a User Pool.

A user pool integrated with Okta allows users in your Okta application to get user pool tokens from Amazon Cognito. For more information, see Using Tokens with User Pools.

To set up Okta as a SAML IdP, you need an Amazon Cognito user pool with an app client and domain name. You also need an Okta account with an Okta application on it.

Create an Amazon Cognito user pool with an app client and domain name

For more information, see the following articles:

Sign up for an Okta account

Note: If you already have an account, sign in.

1.    On the Okta website Free Trial page, choose Sign Up Today.

2.    In the Free Trial dialog, enter your personal information and preferences, and then choose Get Started. Okta sends a confirmation email to the email address you provided.

3.    In the confirmation email, see the sign-in information for your account. Use that information to sign in, create a new password, and then finish creating your account.

Create an Okta application

1.    On the Okta website, choose Dashboard to go to the Admin dashboard.

or

In your browser, enter https://mydomain-admin.okta.com/admin/dashboard, replacing mydomain with the Okta domain you created.

2.    On the Admin dashboard, under Shortcuts, choose Add Applications.

or

On the Admin dashboard, choose Applications, and then choose Add Application.

3.    On the Add Application page, choose Create New App.

4.    In the Create a New Application Integration dialog, for Platform, choose Web.

5.    For Sign on method, choose SAML 2.0.

6.    Choose Create.

Configure SAML integration for your Okta application

1.    On the Create SAML Integration page, under General Settings, enter a name for your application.

2.    (Optional) Upload a logo for your application, and then select the visibility settings for your app.

3.    Choose Next.

4.    Under SAML Settings, for Single sign on URL, enter https://yourDomainPrefix.auth.region.amazoncognito.com/saml2/idpresponse.

Note: Replace yourDomainPrefix and region with the values for your user pool. Find them in the Amazon Cognito console on the Domain name tab of the management page for your user pool.

5.    For Audience URI (SP Entity ID), enter urn:amazon:cognito:sp:yourUserPoolId.

Note: Replace yourUserPoolId with your Amazon Cognito user pool ID. Find it in the Amazon Cognito console on the General settings tab of the management page for your user pool.

6.    Leave Default RelayState blank.

7.    Under Attribute Statements (Optional), add a statement with the following information:
For Name, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
For Value, enter user.email.

8.    For all other SAML settings on the page, leave them as their default value or set them according to your preferences.

9.    Choose Next.

10.    Choose a feedback response for Okta Support.

11.    Choose Finish.

Assign a user to your Okta application

1.    On the Assignments tab for your Okta application, for Assign, choose Assign to People.

2.    Next to the user you want to assign, choose Assign.

Note: If this is a new account, you only have the option to choose yourself (the admin) as the user.

3.    (Optional) For User Name, enter a user name, or leave it as the user's email address, if you prefer.

4.    Choose Save and Go Back. Your user is assigned.

5.    Choose Done.

Get the IdP metadata for your Okta application

On the Sign On tab for your Okta application, find the Identity Provider metadata hyperlink. Right-click the hyperlink and then copy the URL.

For more information, see Integrating Third-Party SAML Identity Providers with Amazon Cognito User Pools.

Configure Okta as a SAML IdP in Amazon Cognito

For more information, see Creating and Managing a SAML Identity Provider for a User Pool (AWS Management Console), and then follow the instructions under To configure a SAML 2.0 identity provider in your user pool.

When creating the SAML IdP, for Metadata document, paste the Identity Provider metadata URL that you copied.

Map email address from IdP attribute to user pool attribute

For more information, see Specifying Identity Provider Attribute Mappings for Your User Pool, and then follow the instructions under To specify a SAML provider attribute mapping.

When adding a SAML attribute, for SAML Attribute, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress. For User pool attribute, choose Email from the list.

Change app client settings in Amazon Cognito

1.    In the Amazon Cognito console management page for your user pool, under App integration, choose App client settings. Then, do the following:
Under Enabled identity providers, select the Okta and Cognito User Pool check boxes.
For Callback URL(s), enter a URL where you want your users to be redirected after logging in. For testing, you can enter any valid URL, such as https://www.amazon.com.
For Sign out URL(s), enter a URL where you want your users to be redirected after logging out. For testing, you can enter any valid URL, such as https://www.amazon.com.
Under Allowed OAuth Flows, be sure to select at least the Implicit grant check box.
Under Allowed OAuth Scopes, be sure to select at least the email and openid check boxes.

2.    Choose Save changes.

For more information, see App Client Settings Overview.

Test the login endpoint

1.    In your browser, enter https://yourDomainPrefix.auth.region.amazoncognito.com/login?response_type=token&client_id=yourClientId&redirect_uri=redirectUrl.

Note: Replace yourDomainPrefix and region with the values for your user pool. Find them in the Amazon Cognito console on the Domain name tab of the management page for your user pool.

Replace yourClientId with your app client’s ID, and replace redirectUrl with your app client’s callback URL. Find them in the Amazon Cognito console on the App client settings tab of the management page for your user pool.

For more information, see How do I configure the hosted web UI for Amazon Cognito? and LOGIN Endpoint.

2.    Choose Okta.

Note: If you're redirected to your app client's callback URL, you're already logged in to your Okta account in your browser. The user pool tokens appear in the URL in your web browser's address bar.

3.    On the Okta Sign In page, enter the username and password for the user you assigned to your application.

4.    Choose Sign in.

After successfully logging in, you're redirected to your app client's callback URL and the user pool tokens appear in the URL in your web browser's address bar.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2019-02-26