AWS Cognito with Okta Integration - AniketDani/Amazon-Web-Services GitHub Wiki

Integrating Okta with Amazon Cognito for Active Directory (AD) integration involves setting up Okta as a SAML or OIDC identity provider (IdP) for Cognito, while Okta itself is connected to your on-premises or cloud-based AD. Here's a high-level overview of how to achieve this:

✅ Step-by-Step Integration Guide

1. Set Up AD Integration in Okta In Okta, configure AD integration using the Okta AD Agent. This allows Okta to sync users and groups from your AD. Ensure users are assigned to the appropriate applications in Okta.
2. Configure Okta as a SAML IdP for Cognito In Okta:

Create a new SAML 2.0 application. Set the Single Sign-On URL to your Cognito SAML endpoint: https://<your_domain>.auth..amazoncognito.com/saml2/idpresponse Set the Audience URI (SP Entity ID) to your Cognito User Pool SAML provider name. Configure attribute statements (e.g., email, name, groups).

In Cognito:

Go to User Pools > Federation > Identity providers. Choose SAML and configure it with metadata from Okta. Set up attribute mapping (e.g., map email to email, name to name). 3. Configure App Client and Domain in Cognito Create or update an App Client in Cognito to enable SAML-based login. Set up a Cognito domain or use a custom domain for the hosted UI. Enable the SAML IdP in the App client settings. 4. Test the Integration Navigate to the Cognito hosted UI login page. Choose the Okta SAML IdP. Authenticate using your AD credentials via Okta. Verify that the user is redirected back to Cognito and logged in.

🔐 Optional Enhancements Use OIDC instead of SAML: Okta also supports OIDC, which can simplify integration. Group-based access control: Map AD groups to Cognito groups via Okta. Custom UI: Use Cognito’s hosted UI or build your own with Amplify or other frameworks.

---

A multi-tenant identity federation scenario where:

Your application uses Amazon Cognito for authentication. External organizations (your customers or partners) want to use their own Active Directory (AD) for login. They do not want to create separate accounts in your Cognito user pool. This is a common use case, and the solution is to federate Cognito with external identity providers (IdPs) that are connected to those organizations' ADs.

✅ Recommended Architecture External Organization connects their AD to Okta (or Azure AD, ADFS, etc.). Okta acts as a SAML or OIDC IdP. You configure Cognito to federate with Okta using SAML or OIDC. Users from the external organization authenticate via their AD → Okta → Cognito. Cognito issues tokens to your app without creating a user in the user pool (optional, depending on your needs).

🔧 Implementation Steps

1. External Org Sets Up Okta with AD They install the Okta AD Agent to sync users from their AD. They expose Okta as a SAML or OIDC IdP.

2. You Configure Cognito to Trust Okta In your Cognito User Pool: Go to Federation > Identity providers. Choose SAML or OIDC. Enter metadata from the external org’s Okta instance. Set up attribute mapping (e.g., email, name, groups).

3. Configure App Client Settings Enable the new IdP in your App Client settings. Set up callback URLs and sign-out URLs. Use Cognito Hosted UI or custom UI to initiate login.

4. (Optional) Skip User Pool Account Creation Cognito can be configured to not persist users in the user pool by using federated identities (Identity Pools) instead. This is useful if you only need temporary AWS credentials and don’t want to manage user profiles.

🧠 Key Considerations Security: Use signed SAML assertions or OIDC tokens. User Attributes: Ensure the external IdP sends required claims (email, name, etc.). Multi-Tenant Support: You can configure multiple IdPs in Cognito, one per external org. User Management: If you need to manage user roles or permissions, consider mapping groups or roles from the IdP.