6

G'day Everyone.

I have a Web application running with AWS S3, RDS, Lambda and API Gateway using an AWS Cognito user pool as login service. This is working good so far. But now i would like to integrate it with Azure ID.

Does someone has a good documentation about it. I can only find documentation for the other way round or for integration Azure AD into the AWS Console. The reason could be that this feature just went from beta to production a few weeks ago.

EnlightMe
  • 200
  • 2
  • 9
  • It seems that i cannot integrate Azure AD directly into AWS Cognto.I can integrate an dedicated active directory server as federated IdP, and this server can use AzureAD/Office365 as Single Sign-On. – EnlightMe Oct 15 '17 at 18:58

2 Answers2

7

The steps are quite long, but I've created a tutorial on setting this up. There is a current bug within the AzureAD web console that prevents changing the App ID to a URN, but it can be worked around by modifying the parameter with AzureAD powershell.

See the following blog post here:

https://www.idea11.com.au/how-to-set-up-aws-cognito-federation-office365/

Mike
  • 1,532
  • 3
  • 21
  • 45
  • I followed the tutorial but end up with the following error: `Error in SAML response processing: Invalid user attributes: email: The attribute is required` – Ivan Breet Mar 29 '18 at 08:25
  • Double check that you have email attribute allowed in OAuth Scopes and the SAML attribute is filled out in federation -> attribute mapping. – Mike Mar 30 '18 at 06:56
  • 2
    @Mike I have Followed the Blog and was able to Login using Office365, But data is not populating. I have checked the email attribute in OAuth Scopes, and still I am getting following error Error in SAML response processing Invalid user attributes email The attribute is required &error=server_error – Ajinkya Feb 06 '19 at 12:57
  • I had the same. Adding an attribute mapping under Federation solved the problem for me. – Lqueryvg Apr 03 '20 at 12:36
  • I faced the same problem. The issue is that the person you are trying to sign in would not have added the email attribute in their profile. Add the E-mail attribute & retry signing in. It should work – Srinivasan Sep 28 '21 at 05:25
2

I ran into some troubles while logging in via personal live/hotmail accounts using SAML, turns out there's no proper support for that yet, try OIDC.

Follow: https://www.terminalbytes.com/azure-ad-integration-as-an-idp-with-aws-cognito/

RyuzakiLost
  • 64
  • 4