I want to use OneLogin as a Security Assertion Markup Language 2.0 (SAML 2.0) identity provider (IdP) with an Amazon Cognito user pool. How do I set that up?

Amazon Cognito user pools allow sign-in through a third party (federation), including through a SAML IdP such as OneLogin. For more information, see Adding User Pool Sign-in Through a Third Party and Adding SAML Identity Providers to a User Pool.

To set up OneLogin as SAML IdP, you need an Amazon Cognito user pool and a OneLogin account with an application on it.

Create an Amazon Cognito user pool with an app client and domain name

For more information, see these articles:

Note: When creating a user pool, the standard attribute email is selected by default. For more information about user pool attributes, see Configuring User Pool Attributes.

Create a OneLogin account

For more information, see the OneLogin website, and then choose Start a free trial.

On the account creation page, under Your OneLogin Domain, note the domain that OneLogin provides.

Create a OneLogin application

1.    On the OneLogin portal page (https://your-new-domain.onelogin.com/portal/), choose Administration.

2.    At the top of the Administration page, pause on Apps, and then choose Add apps.

3.    In the search bar under Find Applications, enter saml, and then choose SAML Test Connector (IdP) to open the Add SAML Test Connector (IdP) page.

4.    (Optional) Do any of the following:
For Display Name, enter a name and description. For example, Cognito Setup (IdP).
For Rectangular Icon and Square Icon, upload thumbnail icons following the specifications on the page.
For Description, enter a short summary description. For example, For Amazon Cognito user pool.

5.    Choose Save.

Edit your OneLogin application configuration

1.    Choose Configuration.

2.    On the Configuration page, do the following:
For RelayState, enter any valid URL, such as https://www.example.com.
For Audience, enter urn:amazon:cognito:sp:yourUserPoolId.
Leave Recipient blank.
For ACS (Consumer) URL Validator, enter https://yourDomainPrefix.auth.region.amazoncognito.com/saml2/idpresponse.
For ACS (Consumer) URL, enter https://yourDomainPrefix.auth.region.amazoncognito.com/saml2/idpresponse.
Leave Single Logout URL blank.

Note: For Audience, replace yourUserPoolId with your Amazon Cognito user pool ID. Find the ID in the Amazon Cognito console on the General settings tab of the management page for your user pool.

For ACS (Consumer) URL Validator and ACS (Consumer) URL, replace yourDomainPrefix and region with the values for your user pool. Find them in the Amazon Cognito console on the Domain name tab of the management page for your user pool.

Edit your OneLogin application's parameters

1.    Choose Parameters.

Note: One parameter (NameID (fka Email)) is already listed—this is expected.

2.    Choose Add parameter to create a new, custom parameter.

3.    In the New Field dialog, for Field name, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier.

4.    For Flags, select the Include in SAML assertion check box.

5.    Choose Save.

6.    For Value, choose Email from the list.

7.    Choose Save.

Copy the IdP metadata for your OneLogin application

1.    Choose SSO.

2.    Under Issuer URL, copy the URL to your clipboard.

3.    Choose Save to save all your changes to your OneLogin application.

Configure OneLogin as the SAML IdP in Amazon Cognito

For more information, see Creating and Managing a SAML Identity Provider for a User Pool (AWS Management Console). Follow the instructions under To configure a SAML 2.0 identity provider in your user pool.

When creating the SAML IdP, for Metadata document, paste the Issuer URL you copied.

Map the email address from the IdP attribute to the user pool attribute

For more information, see Specifying Identity Provider Attribute Mappings for Your User Pool. Follow the instructions under To specify a SAML provider attribute mapping.

When adding a SAML attribute under Attribute mapping, for SAML Attribute, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier. For User pool attribute, choose Email from the list.

Change the app client settings in Amazon Cognito

Note: This is an example setup for testing purposes. For a production setup, it's a best practice to use the Authorization code grant OAuth flow for your app client settings. When you use that flow, you receive an authorization code after authentication in your redirect URL. You must exchange the authorization code for JSON web tokens (JWTs) by making a request to the TOKEN endpoint.

1.    In the Amazon Cognito console management page for your user pool, under App integration, choose App client settings. Then, do the following:
Under Enabled identity providers, select the Select all check box.
For Callback URL(s), enter a URL where you want your users to be redirected after logging in. For testing, you can enter any valid URL, such as https://www.example.com.
For Sign out URL(s), enter a URL where you want your users to be redirected after logging out. For testing, you can enter any valid URL, such as https://www.example.com.
Under Allowed OAuth Flows, select at least the Implicit grant check box.
Under Allowed OAuth Scopes, select at least the email and openid check boxes.

2.    Choose Save changes.

For more information, see App Client Settings Overview.

Test the login endpoint

1.    In your browser, enter https://yourDomainPrefix.auth.region.amazoncognito.com/login?response_type=token&client_id=yourClientId&redirect_uri=redirectUrl.

Note: Replace yourDomainPrefix and region with the values for your user pool. Find them in the Amazon Cognito console on the Domain name tab of the management page for your user pool.

Replace yourClientId with your app client ID, and replace redirectUrl with your app client callback URL. Find them in the Amazon Cognito console on the App client settings tab of the management page for your user pool.

For more information, see How do I configure the hosted web UI for Amazon Cognito? and LOGIN Endpoint.

2.    Choose OneLogin.

Note: If you're redirected to your app client's callback URL, then you're already logged in to your OneLogin account in your browser. Everything is set up correctly.

3.    On the OneLogin page, for Username, enter your OneLogin account user name.

4.    Choose Continue.

5.    For Password, enter your OneLogin account password.

6.    Choose Continue.

If you're redirected to your app client's callback URL, then everything is set up correctly.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2019-02-14