0

According to https://docs.aws.amazon.com/cognito/latest/developerguide/saml-identity-provider.html#role-customization-saml it should be possible to let gsuite as saml provider passthrough a role-arn via an attribute to a cognito setup.

But it does not really specify how? I added the attribute https://docs.aws.amazon.com/cognito/latest/developerguide/saml-identity-provider.html#role-customization-saml on gsuite but obviously that alone does not work.

lifeofguenter
  • 1,121
  • 1
  • 13
  • 22
  • Either your attribute format is incorrect or your attribute is NOT registered at Cognito. I have updated my answer to add two new potential root causes of the issue into Quick Response for [Why is Cognito rejecting my SAML assertion?](https://stackoverflow.com/questions/56531517/why-is-cognito-rejecting-my-saml-assertion/56532177#56532177), that is, (2) Attributes do NOT meet the format required by Cognito (an example is provided). (3) Attribute values do NOT registered at Cognito through ADMIN console of Amazon AWS.(see (II) Important Remarks on Role). – winstonhong Sep 05 '19 at 14:16
  • I don't want to login to AWS via SAML, that works via gsuite like a breeze (including passing through roles). I want to login via SAML (gsuite) to cognito (while assuming the role I provide from gsuite attribute) to AWS Elasticsearch. This seems to work differently than what you described. – lifeofguenter Sep 05 '19 at 18:13
  • I have updated my answer in (II) to provide the official link of configuring Amazon AWS with Google G Suite to describe SAML IdP configuration steps (performed through AWS administration console). [Cognito Configuring Your Identity Pool for a SAML Provider](https://docs.aws.amazon.com/cognito/latest/developerguide/saml-identity-provider.html#configure-identity-pool-saml-provider) states that Before configuring your identity pool to support a SAML provider, you must first configure the SAML identity provider in the IAM console. For more information, – winstonhong Sep 05 '19 at 21:47
  • thanks @winstonhong so much for your effort, but I think you are still mixing up things, I am not trying to get gsuite (saml) + arn passthrough to work with aws console (e.g. IAM federation) - that is already working for us. I am trying to get gsuite (saml) + arn passthrough to work with cognito AND a aws service (elasticsearch). – lifeofguenter Sep 06 '19 at 06:19
  • I have updated answer to add Remarks in Quick Response, that is, [How to enable secure access to Kibana using AWS Single Sign-On](https://aws.amazon.com/blogs/security/how-to-enable-secure-access-to-kibana-using-aws-single-sign-on/) describes how to utilize AWS SSO to access Kibana (Amazon Elasticsearch Service, an AWS internal service). – winstonhong Sep 06 '19 at 21:56
  • [Adding SAML Identity Providers to a User Pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp.html) states that Audience URI/SP Entity ID of User Pool (**NOT** Identity Pool) is urn:amazon:cognito:sp:your-User-Pool-ID. I have updated my answer to add the above link. – winstonhong Oct 01 '19 at 18:51

0 Answers0