How to add AzureAD as OIDC Identity Provider in AWS Cognito

Introduction

AWS Cognito is one of the most widely used Identity Provider. There are scenarios where a customer who uses AWS Cognito wants to setup federation between Cognito and AzureAD. For ex: As an organization, I can build a product which is integrated with AWS Cognito using OIDC. If a customer of my product wants their employees or contractors to login using their own Identity Provider like Okta, AzureAD etc., I can setup a federation between AWS Cognito and Okta, AzureAD etc. to allow those employees or contractors to access my product.

In this blog, we are going to see how to setup the federation between AWS Cognito and AzureAD using OIDC protocol. The steps for configuring this integration is posted in a YouTube video.

If you are using SAML federation between AWS Cognito and AzureAD, please follow the below blog:

How to add Microsoft AzureAD as SAML Identity Provider in AWS Cognito

1. User opens a browser and types the client app URL
2. Browser displays the client app website. Depending on how the client app is designed, it might automatically initiate an Authentication flow with AWS Cognito or display the home page where users should click the login button to initiate the Authentication. This diagram shows the first option where the client app automatically initiates the OIDC flow with AWS Cognito by redirecting the user to /authorize URL.
3. AWS Cognito receives the request from client app and either displays the login page with a button to initiate the OIDC federation or automatically initiate the OIDC federation with AzureAD by redirecting to /authorize URL.
4. AzureAD will display the login page to the user.
5. User will enter the AzureAD credentials.
6. AzureAD will validate the credentials and proceed to next step if it is valid.
7. AzureAD will return an authorization code back to AWS Cognito.
8. AWS Cognito will make a backend API call to AzureAD token endpoint to get the ID and Access tokens
9. AzureAD will return and ID and Access tokens
10. Cognito will make a backend API call to AzureAD userinfo endpoint to get the user details.
11. AzureAD will return the user info details like givenname, lastname, name, email
12. Cognito will create a user profile in the local user pool for this AzureAD user if it doesn’t exist.
13. Cognito will redirect back to Client app with an authorization code.
14. Client app will make a backend API call to Cognito’s token endpoint to get the ID and Access tokens
15. AWS Cognito will return and ID and Access tokens
16. Client app will validate the ID token, check if it is a valid user and return the web page to the browser

How to configure AWS Cognito — AzureAD OIDC integration

Please follow this video for the step-by-step instructions

Security in Action 101

Key points to note

• When a user logs in for the first time, AWS Cognito will create a profile for that user in the local user pool. The tokens that are generated by Cognito will be based on the attribute values of Cognito user profile
• Make sure all the attributes are mapped properly in the Cognito attribute mapping configuration. If not, it will either return an error or missing value in the ID token
• Make sure the correct redirect URL is configured in AzureAD. Refer this documentation for more details.
• Don’t forget to generate a OIDC client secret in AzureAD. Refer this documentation for more details.
• AzureAD OIDC well known configuration URL is https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration. Refer this documentation for more details.

Thanks for reading this article. Please subscribe to the below YouTube channel and follow me in medium to learn about security and IAM.

Security in Action 101

Join Medium with my referral link - karthik

Get an email whenever karthik publishes.