Example scenario: bookmark Amazon Cognito apps in an enterprise dashboard
You can create bookmarks in your SAML or OIDC IdP dashboards that provide Amazon Cognito user pools SSO access to web applications. You can link to Amazon Cognito in a way that doesn't require users to sign in with the hosted UI. To do this, add a sign-in bookmark to your portal that redirects to the Authorize endpoint of your Amazon Cognito user pool in the following format.
https://mydomain.us-east-1.amazoncognito.com/authorize?response_type=code&identity_provider=MySAMLIdP&client_id=1example23456789&redirect_uri=https://www.example.com
Note
You can also use an idp_identifier parameter instead of an
identity_provider parameter in your request to the
authorization endpoint. An IdP identifier is an alternative name or email
domain that you can configure when you create an identity provider in your
user pool. See SAML identity provider
names and identifiers.
When you use the appropriate parameters in your request to
/authorize, Amazon Cognito silently begins the SP-initiated sign-in flow
and redirects your user to sign in with your IdP.
To get started, add a SAML IdP in your user pool. Create an app client that uses your SAML IdP for sign-in, and has the URL for your app as an authorized callback URL. For more information about app clients, see User pool app clients.
Before you deploy this authenticated access to your portal, test SP-initiated sign-in to your app from your hosted UI. For more information about how to configure a SAML IdP in Amazon Cognito, see Configuring your third-party SAML identity provider.
The following diagram shows an authentication flow that emulates IdP-initiated SSO. Your users can authenticate with Amazon Cognito from a link in your company portal.
After you meet the requirements, create a bookmark to your Authorize endpoint
that includes either an identity_provider or an
idp_identifier parameter. User authentication proceeds as
follows.
-
Your user signs in to the SSO IdP dashboard. Enterprise applications that the user is authorized to access populate this dashboard.
-
Your user chooses the link to the application that authenticates with Amazon Cognito. In many SSO portals, you can add a custom app link. Any feature that you can use to create a link to a public URL in your SSO portal will work.
-
Your custom app link in the SSO portal directs the user to the user pool Authorize endpoint. The link includes parameters for
response_type,client_id,redirect_uriandidentity_provider. Theidentity_providerparameter is the name that you gave the IdP in your user pool. You can also use anidp_identifierparameter instead of theidentity_providerparameter. A user accesses your federation endpoint from a link that contains either aidp_identifieroridentity_providerparameter. This user bypasses the sign-in page and navigates directly to authenticate with your IdP. For more information about naming SAML IdPs, see SAML identity provider names and identifiers.Example URL
https://mydomain.us-east-1.amazoncognito.com/authorize? response_type=code& identity_provider=MySAMLIdP& client_id=1example23456789& redirect_uri=https://www.example.com -
Amazon Cognito redirects the user session to your IdP with a SAML request.
-
Your user might have received a session cookie from your IdP when they signed in to the dashboard. Your IdP uses this cookie to validate the user silently and redirect them to the Amazon Cognito
idpresponseendpoint with a SAML response. If no active session exists, your IdP reauthenticates the user before it posts the SAML response. -
Amazon Cognito validates the SAML response and creates or updates the user profile based on the SAML assertion.
-
Amazon Cognito redirects the user to your internal app with an authorization code. You configured your internal app URL as an authorized redirect URL for your app client.
-
Your app exchanges the authorization code for Amazon Cognito tokens. For more information, see Token endpoint.