Example scenario: bookmark Amazon Cognito apps in an enterprise dashboard - Amazon Cognito
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Example scenario: bookmark Amazon Cognito apps in an enterprise dashboard

You can create bookmarks in your SAML or OIDC IdP dashboards that provide Amazon Cognito user pools SSO access to web applications. You can link to Amazon Cognito in a way that doesn't require users to sign in with the hosted UI. To do this, add a sign-in bookmark to your portal that redirects to the Authorize endpoint of your Amazon Cognito user pool in the following format.



You can also use an idp_identifier parameter instead of an identity_provider parameter in your request to the authorization endpoint. An IdP identifier is an alternative name or email domain that you can configure when you create an identity provider in your user pool. See SAML identity provider names and identifiers.

When you use the appropriate parameters in your request to /authorize, Amazon Cognito silently begins the SP-initiated sign-in flow and redirects your user to sign in with your IdP.

To get started, add a SAML IdP in your user pool. Create an app client that uses your SAML IdP for sign-in, and has the URL for your app as an authorized callback URL. For more information about app clients, see User pool app clients.

Before you deploy this authenticated access to your portal, test SP-initiated sign-in to your app from your hosted UI. For more information about how to configure a SAML IdP in Amazon Cognito, see Configuring your third-party SAML identity provider.

The following diagram shows an authentication flow that emulates IdP-initiated SSO. Your users can authenticate with Amazon Cognito from a link in your company portal.

Amazon Cognito SAML sign-in that begins at an enterprise application dashboard.

After you meet the requirements, create a bookmark to your Authorize endpoint that includes either an identity_provider or an idp_identifier parameter. User authentication proceeds as follows.

  1. Your user signs in to the SSO IdP dashboard. Enterprise applications that the user is authorized to access populate this dashboard.

  2. Your user chooses the link to the application that authenticates with Amazon Cognito. In many SSO portals, you can add a custom app link. Any feature that you can use to create a link to a public URL in your SSO portal will work.

  3. Your custom app link in the SSO portal directs the user to the user pool Authorize endpoint. The link includes parameters for response_type, client_id, redirect_uri and identity_provider. The identity_provider parameter is the name that you gave the IdP in your user pool. You can also use an idp_identifier parameter instead of the identity_provider parameter. A user accesses your federation endpoint from a link that contains either a idp_identifier or identity_provider parameter. This user bypasses the sign-in page and navigates directly to authenticate with your IdP. For more information about naming SAML IdPs, see SAML identity provider names and identifiers.

    Example URL

    https://mydomain.us-east-1.amazoncognito.com/authorize? response_type=code& identity_provider=MySAMLIdP& client_id=1example23456789& redirect_uri=https://www.example.com
  4. Amazon Cognito redirects the user session to your IdP with a SAML request.

  5. Your user might have received a session cookie from your IdP when they signed in to the dashboard. Your IdP uses this cookie to validate the user silently and redirect them to the Amazon Cognito idpresponse endpoint with a SAML response. If no active session exists, your IdP reauthenticates the user before it posts the SAML response.

  6. Amazon Cognito validates the SAML response and creates or updates the user profile based on the SAML assertion.

  7. Amazon Cognito redirects the user to your internal app with an authorization code. You configured your internal app URL as an authorized redirect URL for your app client.

  8. Your app exchanges the authorization code for Amazon Cognito tokens. For more information, see Token endpoint.