Creating and managing a SAML identity provider for a user pool (Amazon CLI and Amazon API) - Amazon Cognito
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Creating and managing a SAML identity provider for a user pool (Amazon CLI and Amazon API)

Use the following commands to create and manage a SAML identity provider (IdP).

To create an IdP and upload a metadata document

  • Amazon CLI: aws cognito-idp create-identity-provider

    Example with metadata file: aws cognito-idp create-identity-provider --user-pool-id <user_pool_id> --provider-name=SAML_provider_1 --provider-type SAML --provider-details file:///details.json --attribute-mapping email=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

    Where details.json contains:

    { "MetadataFile": "<SAML metadata XML>" }
    Note

    If the <SAML metadata XML> contains any quotations ("), they must be escaped (\").

    Example with metadata URL: aws cognito-idp create-identity-provider --user-pool-id <user_pool_id> --provider-name=SAML_provider_1 --provider-type SAML --provider-details MetadataURL=<metadata_url> --attribute-mapping email=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

  • Amazon API: CreateIdentityProvider

To upload a new metadata document for an IdP

  • Amazon CLI: aws cognito-idp update-identity-provider

    Example with metadata file: aws cognito-idp update-identity-provider --user-pool-id <user_pool_id> --provider-name=SAML_provider_1 --provider-details file:///details.json --attribute-mapping email=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

    Where details.json contains:

    { "MetadataFile": "<SAML metadata XML>" }
    Note

    If the <SAML metadata XML> contains any quotations ("), they must be escaped (\").

    Example with metadata URL: aws cognito-idp update-identity-provider --user-pool-id <user_pool_id> --provider-name=SAML_provider_1 --provider-details MetadataURL=<metadata_url> --attribute-mapping email=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

  • Amazon API: UpdateIdentityProvider

To get information about a specific IdP

  • Amazon CLI: aws cognito-idp describe-identity-provider

    aws cognito-idp describe-identity-provider --user-pool-id <user_pool_id> --provider-name=SAML_provider_1

  • Amazon API: DescribeIdentityProvider

To list information about all IdPs

  • Amazon CLI: aws cognito-idp list-identity-providers

    Example: aws cognito-idp list-identity-providers --user-pool-id <user_pool_id> --max-results 3

  • Amazon API: ListIdentityProviders

To delete an IdP

  • Amazon CLI: aws cognito-idp delete-identity-provider

    aws cognito-idp delete-identity-provider --user-pool-id <user_pool_id> --provider-name=SAML_provider_1

  • Amazon API: DeleteIdentityProvider