AWS Cognito is one of the most widely used Identity Provider. There are scenarios where a customer who uses AWS Cognito wants to setup SAML federation between Cognito and Keycloak. For ex: As an organization, I can build a product which is integrated with AWS Cognito using OIDC. If a customer of my product wants their employees or contractors to login using their own Identity Provider like Keycloak, Okta, AzureAD etc., I can setup a federation between AWS Cognito and Keycloak, Okta, AzureAD etc. to allow those employees or contractors to access my product.
In this blog, we are going to see how to setup the federation between AWS Cognito and Keycloak using SAML protocol. The steps for configuring this integration is posted in a YouTube video.
Keycloak is a open source IAM product.
If you are planning to use OIDC federation instead of SAML, please read this blog:
- User opens a browser and types the client app URL
- Browser displays the client app website. Depending on how the client app is designed, it might automatically initiate an Authentication flow with AWS Cognito or display the home page where users should click the login button to initiate the Authentication. This diagram shows the first option where the client app automatically initiates the OIDC flow with AWS Cognito by redirecting the user to /authorize URL.
- AWS Cognito receives the request from client app and either displays the login page with a button to initiate the SAML federation or automatically initiate the SAML federation with Keycloak by sending a SAML AuthnRequest to SAML Sign-On URL.
- Keycloak will display the login page to the user.
- User will enter the Keycloak credetials.
- Keycloak will validate the credentials and proceed to next step if it is valid.
- Keycloak will return a SAML Response back to AWS Cognito.
- AWS Cognito will verify the SAML Assertion, create a user profile in the local user pool for this Keycloak user if it doesn’t exist.
- AWS Cognito will redirect back to Client app with an authorization code.
- Client app will make a backend API call to Cognito’s token endpoint to get the ID and Access tokens
- AWS Cognito will return and ID and Access tokens
- Client app will validate the ID token, check if it is a valid user and return the web page to the browser
How to configure AWS Cognito — Keycloak SAML integration
Please follow this video for the step-by-step instructions
Key points to note
- When a user logs in for the first time, AWS Cognito will create a profile for that user in the local user pool. The tokens that are generated by Cognito will be based on the attribute values of Cognito user profile
- You can follow this guide for configuring Cognito as a SAML SP in Keycloak
- Client ID in Keycloak should match with the Cognito SAML SP issuer value. Refer this guide for Cognito SAML issuer value format.
urn:amazon:cognito:sp:<yourUserPoolID>- Cognito SAML ACS URL should be configured as redirect URI
https://Your user pool domain/saml2/idpresponse- Create a client scope and configure it in mapper. Refer the YouTube video for more details.
Thanks for reading this article. Please subscribe to the below YouTube channel and follow me in medium to learn about security and IAM.
