Integrating Auth0 as a SAML 2.0 Identity Provider (IdP) with Amazon Cognito User Pool: A Step-by-Step Guide

Leave a Comment / By /

Amazon Cognito user pools provide a robust and secure way to manage user identities, but sometimes you might want to integrate third-party identity providers like Auth0 to enhance your authentication and authorization process. In this tutorial, we will walk you through the process of setting up Auth0 as a SAML 2.0 Identity Provider (IdP) with Amazon Cognito User Pool. This integration allows users to log in through Auth0 and obtain user pool tokens from Amazon Cognito. Let’s get started.

Prerequisites

Before you begin, make sure you have the following:

  • An Amazon Web Services (AWS) account with appropriate permissions.
  • An Auth0 account.
  • Familiarity with AWS services, including Amazon Cognito User Pool.
  • Basic knowledge of SAML (Security Assertion Markup Language) concepts.

Step 1: Create an Amazon Cognito User Pool

  1. Log in to your AWS Management Console.
  2. Navigate to Amazon Cognito.
  3. Create a new user pool by following the steps in the Amazon Cognito User Pool tutorial.Note: The standard attribute “email” is selected by default, which is essential for this integration. You can configure additional user pool attributes as needed.
  4. Set up the hosted UI with the Amazon Cognito console. This UI will be used for user login.
  5. Add a domain name for your user pool to make it accessible.

Step 2: Sign Up for an Auth0 Account

  1. If you don’t have an Auth0 account, visit the Auth0 Sign Up page and enter your email address and a password to get started. If you already have an Auth0 account, log in.

Step 3: Create an Auth0 Application

  1. Access the Auth0 dashboard.
  2. Choose “Applications,” and then click on “Create Application.”
  3. Provide a name for your application (e.g., “My App”).
  4. Under “Choose an application type,” select “Single Page Web Applications.”
  5. Click “Create” to create the Auth0 application.

Step 4: Create a Test User for Your Auth0 Application

  1. In the Auth0 dashboard, navigate to “User Management” and then select “Users.”
  2. Choose “Create Your First User” or “Create User” if you’ve already created users.
  3. Enter an email and password for the test user.
  4. Click “Save.”

Step 5: Configure SAML Settings for Your Auth0 Application

  1. In the Auth0 dashboard, go to “Applications.”
  2. Select the name of the application you created.
  3. On the “Addons” tab, enable “SAML2 Web App.”
  4. In the “Addon: SAML2 Web App” dialog box, go to the “Settings” tab.
  5. For “Application Callback URL,” enter: https://yourDomainPrefix.auth.region.amazoncognito.com/saml2/idpresponse. Replace yourDomainPrefix and region with your actual user pool values. You can find them in the Amazon Cognito console on the “Domain name” tab.
  6. Configure the following settings:
    • For “Audience,” replace the default value (urn:foo) with urn:amazon:cognito:sp:yourUserPoolId. Replace yourUserPoolId with your Amazon Cognito user pool ID, which can be found in the Amazon Cognito console on the “General settings” tab.
    • For any other attributes required by your Amazon Cognito user pool, delete the comment delimiters (//) and configure accordingly.
    • For “nameIdentifierFormat,” delete the comment delimiters (//) and replace the default value with urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
  7. (Optional) Choose “Debug,” log in as the test user you created to confirm the configuration works.
  8. Choose “Enable,” and then click “Save.”

Step 6: Get the IdP Metadata for Your Auth0 Application

  1. In the “Addon: SAML2 Web App” dialog box (Auth0 dashboard), go to the “Usage” tab.
  2. Find “Identity Provider Metadata” and either copy the URL by right-clicking or download the .xml metadata file.

Step 7: Configure Auth0 as SAML IdP in Amazon Cognito

  1. In the Amazon Cognito console, follow the instructions under “Creating and managing a SAML identity provider for a user pool” to configure Auth0 as the SAML IdP.
  2. When creating the SAML IdP, for “Metadata document,” either paste the Identity Provider Metadata URL or upload the .xml metadata file.

Step 8: Map Email Address from IdP Attribute to User Pool Attribute

  1. In the Amazon Cognito console, follow the instructions under “Specifying identity provider attribute mappings for your user pool” to map the email address from the IdP attribute to the user pool attribute.
  2. For “SAML Attribute,” enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress. For “User pool attribute,” choose “Email” from the list.

Step 9: Change App Client Settings in Amazon Cognito

  1. In the Amazon Cognito console, go to “App integration” and select “App client settings” for your user pool.
  2. Under “Enabled identity providers,” select both “Auth0” and “Cognito User Pool.”
  3. For “Callback URL(s),” enter a URL where you want users to be redirected after logging in (e.g., https://www.amazon.com).
  4. For “Sign out URL(s),”

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top