Adding and managing SAML identity providers in a user pool
The following procedures demonstrate how to create, modify, and delete SAML providers in an Amazon Cognito user pool.
To set up the SAML IdP to add a user pool as a relying party
-
The user pools service provider URN is:
urn:amazon:cognito:sp:
. Amazon Cognito requires an audience restriction value that matches this URN in the SAML response. Configure your IdP to use the following POST binding endpoint for the IdP-to-SP response message.us-east-1_EXAMPLE
https://
mydomain.us-east-1.amazoncognito.com
/saml2/idpresponse -
Your SAML IdP must populate
NameID
and any required attributes for your user pool in the SAML assertion.NameID
is used for uniquely identifying your SAML federated user in the user pool. Your IdP must pass each user’s SAML name ID in a consistent, case-sensitive format. Any variation in the value of a user's name ID creates a new user profile.
To provide a signing certificate to your SAML 2.0 IDP
-
To download a copy of the the public key from Amazon Cognito that your IdP can use to validate SAML logout requests, choose the Sign-in experience tab of your user pool, select your IdP, and under View signing certificate, select Download as .crt.
You can delete any SAML provider you have set up in your user pool with the Amazon Cognito console.
To delete a SAML provider
-
Sign in to the Amazon Cognito console
. -
In the navigation pane, choose User Pools, and choose the user pool you want to edit.
-
Choose the Sign-in experience tab and locate Federated identity provider sign-in.
-
Select the radio button next to the SAML IdPs you wish to delete.
-
When you are prompted to Delete identity provider, enter the name of the SAML provider to confirm deletion, and then choose Delete.