You absolute hero, I had an issue with my mappings that the AWS documentation had incorrectly told me to follow. Your advice has fixed this for me, brilliant video well done and thank you!
Cognito groups are already available in Access Token in "cognito:groups" claim. Refer this documentation for more details docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-access-token.html
Refer support.okta.com/help/s/article/How-to-pass-a-user-s-group-membership-in-a-SAML-Assertion-from-Okta?language=en_US. I have not tried this. You can map the Okta SAML attribute that has group details to a custom attribute in Cognito user profile. This custom attribute will get added as a claim in the ID token, but not access token.
I have an use case where we want to use Cognito with OKTA using SAML. Since our application needs to have ROLES/SCOPES where we control who can access what, is it possible to configure this in Okta (something like roles/permissions/custom attributes?) and they are passed to Cognito and be as part of the token? Great video! Keep up the good work!
I am sure there should be some way to pass the Okta roles in a SAML attribute and then map that to a custom Cognito userpool attribute. This custom attribute can be added in the Cognito's ID token.
@@securityinaction1018 I managed to do that just now, added "groups" attribute and included all the groups the user belongs to, and after that i am mapping it to custom Cognito User Pool attribute and that appears in the ID token. Is it possible for somehow to appear in the access token? Because i will have to use ID tokens to do my Authentication/Authorization, which "apparently" is not a good practice based on some people on the internet
@@AleksandarT10 Can you provide me the steps on how we can show okta groups in ID token. I'm not able to see it in the ID token. I have created a group in okta and assigned the user as well. In cognito I created the custom user attribute custom:appgroups and mapped it to okta group name admingroup. But still the group is not showing up
I refreshed as Users have not got created, reaching out to you for your guidance. One more point, it created a group with UserPool Id_Okta Domain name without any user. @@securityinaction1018
That's surprising. Are you getting an ID token ? If so, a user profile should be present. But, I am not sure why it is not showing up even after refreshing. May be you can try opening the console in different browsers or incognito window.
After redirecting with JWT token How can I decrypt the token in Javascript. Which npm package should be use and for decryption from where I can get the keys??
Hi Dipak, refer this documentation for more details docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html#amazon-cognito-user-pools-using-tokens-aws-jwt-verify. It has all the details that you asked.
@@securityinaction1018 As per video we don't set federation by clicking seperate link 'Federated Identities' in aws cognito service. Now I'm using 'aws-amplify' package where 'federatedSignIn' method required identity_id e.g. eu-north-1:8e2f0d8e-3014-41da-977b-7c7e28fba44a . How can I provide this ID by creating new federation it shows error 'unknown federation id'
I have not used amplify library. If you can point out to the exact documentation, I can take a look and let you know. Also, can you explain the requirement? Do you want to bypass the Cognito login page and redirect to the external IdP login page?
If I understand the question correctly, you want to authenticate both okta and cognito pool users using the same login form. If so, that is not possible because Okta profiles are stored within Okta user data store and similarly, Cognito users in Cognito's user data store. Federation is the best way to handle this.
Hi , This is very informative video , could you help me with add keycloak as SAML Identity Provider in aws cognito if you have any reference or setup guide.
Please subscribe to this channel for regular updates ua-cam.com/channels/EEayyyCrJO94FYlzF0NLTg.html
Thank You for the support.
You absolute hero, I had an issue with my mappings that the AWS documentation had incorrectly told me to follow. Your advice has fixed this for me, brilliant video well done and thank you!
Glad it helped!
Thank you for this really clear walk through. Much appreciated.
Glad it was helpful!
Please like, subscribe & share!! Thanks in advance.
How do I buy you a drink man? Your videos are great! Right on!
Any time! 🙂
Great tutorial! Thanks a lot!
Glad it was helpful!
Very helpful and Informative.
Glad it was helpful!
how can we generate access token with okta or cognito groups in the access token
Cognito groups are already available in Access Token in "cognito:groups" claim. Refer this documentation for more details docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-access-token.html
@@securityinaction1018 I need to get the groups from okta, how to get the groups from okta within the access and ID token.
Refer support.okta.com/help/s/article/How-to-pass-a-user-s-group-membership-in-a-SAML-Assertion-from-Okta?language=en_US. I have not tried this.
You can map the Okta SAML attribute that has group details to a custom attribute in Cognito user profile. This custom attribute will get added as a claim in the ID token, but not access token.
Hi, Can you make a video with Authorization code grant flow instead of implicit grant flow and how we can use it in our application
Please refer this video which talks about authorization code grant flow using Okta ua-cam.com/video/q56Io39l3qg/v-deo.html
I have an use case where we want to use Cognito with OKTA using SAML.
Since our application needs to have ROLES/SCOPES where we control who can access what, is it possible to configure this in Okta (something like roles/permissions/custom attributes?) and they are passed to Cognito and be as part of the token?
Great video! Keep up the good work!
I am sure there should be some way to pass the Okta roles in a SAML attribute and then map that to a custom Cognito userpool attribute. This custom attribute can be added in the Cognito's ID token.
@@securityinaction1018 I managed to do that just now, added "groups" attribute and included all the groups the user belongs to, and after that i am mapping it to custom Cognito User Pool attribute and that appears in the ID token. Is it possible for somehow to appear in the access token? Because i will have to use ID tokens to do my Authentication/Authorization, which "apparently" is not a good practice based on some people on the internet
I don't think that is possible at this point of time unless those groups are present in Cognito and users are added to those cognito groups.
@@AleksandarT10 Can you provide me the steps on how we can show okta groups in ID token. I'm not able to see it in the ID token. I have created a group in okta and assigned the user as well. In cognito I created the custom user attribute custom:appgroups and mapped it to okta group name admingroup. But still the group is not showing up
You save my day :)
Glad it helped :)
The video is excellent. It worked for authentication but the User was not got created automatically in the user pool. Can you please guide?
Please check the users tab in the Cognito user pool. If it doesn't show up, refresh the page.
I refreshed as Users have not got created, reaching out to you for your guidance. One more point, it created a group with UserPool Id_Okta Domain name without any user. @@securityinaction1018
That's surprising. Are you getting an ID token ? If so, a user profile should be present. But, I am not sure why it is not showing up even after refreshing. May be you can try opening the console in different browsers or incognito window.
After redirecting with JWT token How can I decrypt the token in Javascript. Which npm package should be use and for decryption from where I can get the keys??
Hi Dipak, refer this documentation for more details docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html#amazon-cognito-user-pools-using-tokens-aws-jwt-verify.
It has all the details that you asked.
@@securityinaction1018 As per video we don't set federation by clicking seperate link 'Federated Identities' in aws cognito service. Now I'm using 'aws-amplify' package where 'federatedSignIn' method required identity_id e.g. eu-north-1:8e2f0d8e-3014-41da-977b-7c7e28fba44a
. How can I provide this ID by creating new federation it shows error 'unknown federation id'
I have not used amplify library. If you can point out to the exact documentation, I can take a look and let you know. Also, can you explain the requirement? Do you want to bypass the Cognito login page and redirect to the external IdP login page?
very useful thanks
Glad it was helpful!
Can we get access for okta and cognito pool both users by same email & password form??
If I understand the question correctly, you want to authenticate both okta and cognito pool users using the same login form. If so, that is not possible because Okta profiles are stored within Okta user data store and similarly, Cognito users in Cognito's user data store. Federation is the best way to handle this.
Hi , This is very informative video , could you help me with add keycloak as SAML Identity Provider in aws cognito if you have any reference or setup guide.
I will check keycloak and publish a video in future
I added a new video on how to configure Keycloak as SAML IdP in Cognito. ua-cam.com/video/EFT-3TGLhZw/v-deo.html