SSO configuration using AWS Cognito ForgeRock - OpenAM with SAML Assertion
In this article, I will demonstrate how to configuration SSO (single-sign-on) using AWS Cognito ForgeRock - OpenAM with SAML Assertion.
AWS Cognito already provides sign in functionality using social identity provider like Google, Facebook and it's own identity ofcourse. But the organization which are using ForgeRock OpenAM for the enterprise identity and access management, should want every on-premise or cloud application should leverage the Open AM identity & access control to securely access the various cloud service.
User open browser or mobile app and initiate login process, mobile or browser makes an OIDC Auth grant flow with openid + profile scope to Cognito
Cognito post-pre-define SMAL Auth request to ForgerockOpenAM
Open AM will redirect the user to the login page
The user provides the credential
If credentials are valid (check-in OpenAM side), OpenAM will pass the SAML assertion to the Cognito user pool
Cognito will create/update the user profile in cognito user pool
Cognito will provide the authorization code or token to the web / mobile application.
Please Note: The token with redirect URL can be accessed only once to get access_token, refresh_toekn from Cognito. On the second call onwards with the same token will reply to a bad request.
Create a few new users in the following path - Login > AWS > Subjects > New and create a new user there and add email address too by editing the same user.
Going back to AWS Cognito side for remaining configuration: (STEP 1: Continue...)
Login to AWS console and navigate to Cognito > Federation > Identity Provider > SAML. Here first upload the idmmetada.xml file (which was downloaded earlier), provider name would be openam, and identifier is openam.example.com and then create the provider.
Then set attribute mapping like below -
Now go to App Integration > App Client Settings.
Do the save changes.
STEP 3:Setup Cognito Service Provider to OpenAM
- Prepare the SP metadata XML file for Cognito. Login to OpenAM again and navigate to Realms > AWS > Create SAMLv2 Providers > Register Remote Service Provider.
Choose File and create one spaws.xml file with following template -