Amazon Cognito is almost an integral part of an AWS cloud architecture. The integration in several AWS services is really great. But many enterprise companies maintain their user identities in Azure AD.
In this blog post I explain how you can use Azure AD B2C as identity provider for Amazon Cognito. This requires some steps, so it is a step-by-step guide.
Configure Amazon Cognito Hosted UI
With Amazon Cognito you can provision a hosted UI for the authentication. The hosted UI is the foundation for other features such as the ability to sign in directly to your user pool through OpenID Connect (OIDC) and SAML identity providers.
Create an app client
- Select an existing user pool or create a new one
- Go to General settings -> App clients -> Add an app client
- Give your app client a name
- Deselect the option Generate client secret
- Create the app client and note the App client ID
📖 Documentation: Using the Hosted UI
Configure the hosted UI domain name
- Go to App integration -> Domain name
- Enter an available domain prefix and make a note of the complete address
📖 Documentation: Configuring a Domain
App Registration with Azure AD B2C
Next we have to switch to the Azure Portal to register a new web application in Azure Active Directory B2C.
- Go to Manage -> App registrations and create a New registration
- Give your app a name
- Choose a supported account type
- Enter your Amazon Cognito hosted UI domain name and append
/oauth2/idpresponse
. For examplehttps://domain-prefix.auth.eu-central-1.amazoncognito.com/oauth2/idpresponse
- Go to Manage -> Certificates & secrets
- Create a New client secret, choose Expires: Never and make a note of the secret value
- Switch to the Overview and make a note of the Application (client) ID and the Directory (tenant) ID
📖 Documentation: Register an application
Add an OpenID Connect Identity Provider to a User Pool
Back to Amazon Cognito. In this step I add an OIDC identity provider to the User Pool and create the attribute mapping. For this we need the notes from the previous step.
Add an Identity Provider
Go to Federation -> Identity providers and choose OpenID Connect
Name | Value |
---|---|
Provider name | A name of your choice |
Client ID | Azure AD Application (client) ID |
Client secret | Azure AD client secret |
Attributes request method | GET |
Authorize scope | profile email openid |
Issuer |
https://login.microsoftonline.com/DIRECTORY-TENANT-ID/v2.0 Replace the DIRECTORY-TENANT-ID with the Azure AD Directory (tenant) ID |
📖 Documentation: Adding OIDC Providers
OIDC Attribute mapping
- Go to Federation -> Attribute mapping
- Choose OIDC and select your identity provider
- Create a mapping between the OIDC attribute and the User pool attribute
OIDC attribute | User pool attribute |
---|---|
name | Name |
username | Preferred User Name |
sub | Username |
📖 Documentation: Specifying Attribute Mappings
Configure the app client
- Go to App integration -> App client settings
- Select your identity provider as one of the Enabled Identity Providers
- Enter a callback URL for the authorization server to redirect after users are authenticated
- Enter a sign out URL
- Select Authorization code grant
- Select the
email
,openid
, andaws.cognito.signin.user.admin
check boxes for the Allowed OAuth scopes
📖 Documentation: Add an App to Enable the Hosted Web UI
If you have any kind of feedback, suggestions or ideas - feel free to comment this post!
Top comments (8)
Hi Daniel, great article. It helped. A question for you as we are facing an issue. We have custom policies in B2C which renders the signup page. When we are using issuers as login.microsoftonline.com/DIRECTOR... Replace the DIRECTORY-TENANT-ID, the redirection takes to the AD login screen and NOT the B2C policy. Do you know how to tell AWS Cognito to redirect to the B2C login page? (Not AD)
Hi @virenderabbott1 ,
I was struggling with the same issue. The issuer-url 'login.microsoftonline.com' always ends up in the AAD UI and not to AAD B2C UI (which we want to customize in our case).
After some exhausting hours and with the great help from the AWS Support we were able to find a solution. B2C works with its predefined "User Flows". This flows are nice and easy to setup, but do not provide all endpoints you need with OICD. And this is why you are forced to create custom policies in B2C.
You can follow this steps from the official documentation:
Create custom policies: docs.microsoft.com/en-us/azure/act...
Create the userinfo endpoint: docs.microsoft.com/en-us/azure/act...
Configure Cognito: Beside the issuer url you also have to provide the four OICD endpoints: Authorization, Token, JWKS and Userinfo. All of this required endpoints can be found under YOURTENANT.b2clogin.com/YOURTENANT.... As you can see, the urls do not contain 'microsoftonline.com' anymore and end up on b2login.com instead. You also have to add 'offline_access' to the authorize scope in Cognitio (See: docs.microsoft.com/en-us/azure/act...)
If you want to use custom UI templates you can follow this instructions: docs.microsoft.com/en-us/azure/act...
This guy here is a life saver @marcostreng .Follow the steps mentioned above and make sure you add some more things.
1) Add the Application (client) ID of the web app that you created in azure AD B2C
to the authorization scope of oidc config in aws cognito
2) In the attribute mapping in aws cognito add
signInNames.emailAddress and map it to Email attribute of user pool
3) The issuer url should be in the following format
tenant-name.b2clogin.com/tenant-id...
And when you hit run discovery it will fail and you will get the option to add the oidc endpoints which you get from the url that @marcostreng mentioned ( tenant-name.b2clogin.com/tenant-na... ).
once you add all the corresponding endpoints then create the provider or update the provider and thats it it will work like a charm
Once again a big thanks to @marcostreng for helping me solve this.
Hi Virender,
thank you for your feedback.
Please have a look at this docs.microsoft.com/en-us/azure/act.... If it works, I would be glad about a feedback.
Hi Daniel, thanks for your article.
I am having this response: localhost:8000/callback/?error_des...
Could you help me with this??
Thanks
I try your seting today, bu I have a validation error on Cognito Form OpenID like this screenshoot.
Can you tell me how to solve this ?
Thanks before
Hi Cecep, which screenshot are you referring to?
thanks for this - saved me a lot of bother getting confused with all the various docs!