AWS Cognito

AWS Cognito SAML: The Basics and a Quick Tutorial

What Is AWS Cognito? 

Amazon Web Services (AWS) Cognito is a cloud service designed to handle user authentication, authorization, and user management for web and mobile applications. It supports various authentication methods including social identity providers like Facebook and Google, enterprise identity providers via SAML 2.0, and direct sign-in using email or phone numbers.

Cognito simplifies the process of adding user sign-up, sign-in, and access control to your applications. It provides scalable solutions with built-in security features such as multi-factor authentication (MFA) and encryption of data at rest and in transit.

What Is SAML? 

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, specifically between an identity provider (IdP) and a service provider (SP). SAML enables single sign-on (SSO), allowing users to authenticate once and gain access to multiple applications. This is particularly useful in enterprise environments where users need to access numerous services without repeatedly logging in.

SAML works by passing XML-based assertions between the IdP and SP. When a user attempts to access a service, the SP redirects them to the IdP for authentication. Upon successful authentication, the IdP sends a SAML assertion back to the SP, verifying the user’s identity and granting access. This process enhances security by centralizing authentication and reducing password fatigue for users.

In this article:

What Are Identity Pools in Cognito? 

Identity pools in AWS Cognito allow you to manage access to AWS resources for authenticated and unauthenticated users. They enable the issuance of temporary AWS credentials, which can be used to access services such as S3 and DynamoDB. Identity pools support various identity providers, including SAML 2.0, OpenID Connect (OIDC), and social identity providers like Google and Facebook.

With identity pools, you can implement role-based and attribute-based access control. This flexibility allows you to tailor permissions based on user attributes or roles defined within your application. You can also provide guest access with limited permissions by issuing credentials to users who have not authenticated through an identity provider. This makes it easier to manage user-specific resource access while maintaining security compliance.

Quick Tutorial: Setting up a SAML Provider as an Identity Pool IdP 

Configuring an Identity Pool for a SAML IdP 

To configure your identity pool to use a SAML-based IdP, start by choosing Identity pools from the Amazon Cognito console and selecting an identity pool. Navigate to the User access tab and select Add identity provider, then choose SAML

Next, select a SAML identity provider from the IAM IdPs in your AWS account or create a new one if necessary. Configure Role settings to assign roles based on user claims, either using a default role or custom rules for granular access control.

Finally, configure attributes for access control by setting principal tags. You can choose to apply no tags, use default mappings based on sub and aud claims, or create custom mappings by specifying tag keys sourced from user claims. 

Once all settings are configured, save your changes. This setup allows Amazon Cognito to issue credentials tailored to users authenticated through your SAML IdP.

Configuring a SAML IdP 

To configure your SAML identity provider (IdP) for use with AWS, establish a relying party between the IdP and AWS. Many IdPs allow you to specify a URL for reading relying party information and certificates from an XML document. For example, AWS uses this URL for its IdP: https://signin.aws.amazon.com/static/saml-metadata.xml.

Next, configure the SAML assertion response from your IdP to include necessary claims required by AWS. Ensure that if your SAML IdP includes multiple signing certificates in the metadata, the assertion matches any certificate in the metadata during sign-in.

Customizing a User Role with SAML 

When using SAML with Amazon Cognito, you can tailor user roles based on their attributes from the identity provider (IdP). The SAML assertion includes a https://aws.amazon.com/SAML/Attributes/Role attribute that specifies pairs of role and provider ARNs. 

You can configure these attributes in the IdP to reflect user-specific information.

If multiple roles are present in the SAML assertion, specify the desired role by setting the customRoleArn parameter when calling getCredentialsForIdentity. This ensures users assume appropriate roles based on their attributes.

Authenticating Users with a SAML Identity Provider 

To federate with a SAML-based IdP, identify the login URL where users initiate authentication. AWS supports IdP-initiated login, such as in AD FS 2.0, which uses a URL like this:

https://<fqdn>/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices

After authenticating users with your SAML identity provider from your Android or iOS application, integrate the resulting SAML assertion with Amazon Cognito Identity APIs.

For example, in Android, populate the logins map with the SAML assertion:

Map logins = new HashMap();
logins.put(“arn:aws:iam::aws account id:saml-provider/name”, “base64 encoded assertion response”);
CognitoCachingCredentialsProvider credentialsProvider = new CognitoCachingCredentialsProvider(context, identity pool id, region);
credentialsProvider.setLogins(logins);
credentialsProvider.setCustomRoleArn(“arn:aws:iam::aws account id:role/customRoleName”);
credentialsProvider.getCredentials();

In iOS, provide the SAML assertion in AWSIdentityProviderManager:

– (AWSTask<NSDictionary<NSString*,NSString*> *> *) logins {
    return [AWSTask taskWithResult:@{@”arn:aws:iam::aws account id:saml-provider/name”:@”base64 encoded assertion response”}];
}
– (NSString *)customRoleArn {
    return @”arn:aws:iam::accountId:role/customRoleName”;
}

Related content: Read our guide to AWS Cognito tutorial (coming soon)

Amazon Cognito Limitations

When considering using Cognito for SAML, it’s important to be aware of these important limitations, reported by users on the G2 platform.

Complexity of Configuration and Setup

Setting up Amazon Cognito can be complex due to the numerous configuration options and steps involved. The process requires understanding various AWS services, such as Amazon IAM, and correctly mapping attributes for roles and permissions. This can be difficult without prior AWS experience.

Overwhelming Options and Configurations

Amazon Cognito offers numerous configurations and options, which can be overwhelming for users, especially when integrating multiple identity providers or managing diverse user groups. The options may require significant time to navigate effectively, presenting a steep learning curve for new users.

Token Expiration Management 

Token expiration management in Amazon Cognito can be challenging because it requires careful handling to ensure seamless user experience. Tokens issued by Cognito, such as ID tokens and access tokens, have a limited lifespan. 

Developers must implement mechanisms to refresh these tokens without disrupting ongoing sessions. This often involves using the refresh token provided during authentication to obtain new tokens before the current ones expire, ensuring uninterrupted access to resources. Proper management is essential for maintaining security and usability.

Cost for Advanced Features 

Advanced features in Amazon Cognito, such as multi-factor authentication (MFA), advanced security features, and fine-grained role-based access controls, can incur additional costs. This may lead to higher operational expenses when scaled across large user bases. It is crucial to evaluate these costs against the benefits they offer to ensure alignment with your budget and security requirements.

Limited Use Cases 

Cognito is not suited for various advanced use cases such as biometrics-based authentication, email, and other MFA channels, as well as any use cases requiring SCIM (System for Cross-domain Identity Management protocol). 

Customized flows for SSO and MFA are possible but require an additional layer on AWS services like Lambda. For example, it doesn’t support OTPs via email or biometric authentication for MFA. It is generally more suited to business-to-customer rather than business-to-business use cases, given the complexity of configuration.

Frontegg: The Ultimate Amazon Cognito Alternative

Frontegg is a cloud-based platform that provides an end-to-end user management solution for building and operating web and mobile applications. It aims to simplify the process of building and scaling SaaS applications by providing a set of pre-built and customizable building blocks that can be easily integrated in a self-served and user-friendly manner.

Frontegg provides the following features:

  • Authentication and authorization: Frontegg allows developers to authenticate and authorize users for their applications using various identity providers, such as email, Google, and Facebook.
  • Self-served SSO: Once you integrate Frontegg’s SSO solution, your customers can configure their SSO completely on their own.
  • MFA and passwordless: Frontegg provides the most advanced multi-factor authentication (MFA) and passwordless authentication with advanced security measures.
  • Role and permission management: Allows developers to create, read, update, and delete users, as well as retrieve information about the specific users.
  • Auditing and monitoring: Allows developers to track and log user activity and system events in their applications.
  • Data storage: Allows developers to easily store and retrieve data in their applications, including support for various data types, such as text, numbers, and files.
  • Notifications: Allows developers to send push notifications and email notifications to users in their applications.

Start For Free

Looking to take your User Management to the next level?

Sign up. It's free