Home > Guides > Workspace administrator > Connecting IDPs > Cognito IDP

Connecting AWS Cognito IDP

Instructions on how to configure AWS Cognito as IDP

Purpose

Enable users to log in to ACP and applications with an AWS Cognito identity provider (IDP).

Prerequisites

You have a configured Cognito user pool.

Configure AWS Cognito

  1. Go to https://aws.amazon.com/cognito/ and select Sign In to the Console.

  2. From the top right corner, select the AWS region where your user pool is hosted, for example, US East (Ohio) us-east-2.

    Note

    You’ll need the region name to fill in the Register Cognito form in the ACP administrator portal when you get to Connect Cognito IDP in this instruction.

  3. Enter Cognito into the Find Services search field and follow up to the Amazon Cognito portal.

  4. Select Manage User Pools and the user pool that you want to follow up on.

    Result

    The detailed view for the selected pool gets displayed.

  5. From the left sidebar, select General settings to preview details on your pool, including the pool ID.

    Note

    You’ll need the pool ID to fill in the Register Cognito form in the ACP administrator portal when you get to Connect Cognito IDP in this instruction.

  6. From the left sidebar, go to App clients and select Add an app client from the App clients view.

    Tip

    If you already have clients, you can edit them or select Add another app client.

  7. To create your client

    • Enter the client name.
    • Make sure that option Generate client secret is enabled.
    • Select Create app client.

    Result

    Your new client is ready with its details available upon selecting Show Details.

  8. Select Show Details to identify the client secret and the client ID.

    Note

    You’ll need the client secret and the client ID to fill in the Register Cognito form in the ACP administrator portal when you get to Connect Cognito IDP in this instruction.

  9. Select Domain name from the sidebar.

  10. In the Domain name view, either set up an Amazon Cognito domain or use your own.

  11. From the sidebar, select App client settings and go to your new client.

  12. In App client settings for your new client

    • Leave out the Callback URL(s) for now. You’ll be back here when you get to steps 8-9 of Connect Cognito IDP in this instruction.

    • In the Enabled Identity Providers section, enable Cognito User Pool.

    • In the OAuth 2.0 section

      • For Allowed OAuth Flows, select the authorization code grant.
      • For Allowed OAuth Scopes, select email, profile, and openid.

    Note

    You’re going to need scopes names to fill in the Register Cognito form in the ACP administrator portal when you get to Connect Cognito IDP in this instruction.

    Keep this session open.

    Do not close the App client settings view: You’ll be back here as soon as you get to step 8 in Connect Cognito IDP.

Connect Cognito IDP

  1. Go to https://localhost:8443/app/default/admin/ for the administrator login page.

  2. Enter your login credentials.

  3. Select Log in.

    Result

    The administrator portal is displayed.

  4. Make sure you are in the Consumer workspace (selectable from the left sidebar), which displays a list of existing IDPs.

  5. Select the ADD IDENTITIES to add a new connection.

    Result

    The pop-up dialog box shows and lists available predefined IDP templates.

  6. Select the Cognito template and confirm your choice with Next.

    Result

    The Register Cognito fill-in form opens with blanks for details on your Cognito IDP.

  7. Copy the redirect URL provided in the Register Cognito fill-in form.

  8. Go back to the Amazon Cognito portal and preview App client settings for your client (see step 12 in Configure AWS Cognito).

  9. Paste the copied redirect URL (from the ACP administrator portal) into the Callback URL(s) field for your client (in the Amazon Cognito portal) and select Save changes.

  10. Back in the Register Cognito fill-in form (the ACP administrator portal), provide all the required data for your new Cognito identity provider.

  11. Select Register.

    Result

    Your new Cognito IDP connection is configured and visible on the list of available IDP connections.

Enable the stateful authorization

This step is optional.

To have the user’s data cached in ACP and avoid re-authenticating within one use’s session, follow the instruction in Enable the stateful authZ in ACP.

User’s test

Purpose

Test your new IDP as a user.

Prerequisite

Your provider is configured as a user-authentication method by your administrator.

Test

  1. Go to https://localhost:8443/default/default/demo/ and select LOG IN TO DEMO APP.

  2. Select your configured IDP (if you have multiple ones) and, next, authenticate in IDP.

Result

ACP displays the consent page that lists data scopes to be shared with the application. When you proceed to the application (ALLOW ACCESS), the PII data coming from IDP is delivered through the access token and the ID token generated by ACP.

Read more

For information on granting and managing ACP consents, see ACP OAuth consents.

Developer’s test

Purpose

Test your new IDP as a developer.

Prerequisite

Your provider is configured as a developer-authentication method by your administrator. To register your IDP for the developer, follow instructions in Connect Cognito IDP, this time selecting the Developer workspace in step 4.

Test

  1. Go to https://localhost:8443/app/default/developer/ to access the ACP developer portal.

  2. Log in to your account by entering your login credentials and selecting LOG IN.

Result

You are logged in to the ACP developer portal with the newly-configured IDP.