AWS Cognito OIDC
Follow these steps to add AWS Cognito as the OIDC SSO provider for your workspace:
- Open Buddy SSO settings in one browser tab and switch to Open ID connect → AWS.
- In another tab, sign in to Amazon Cognito
- Click Create user pool, select the provider type, and define your sign-in options.
Image loading...
- Click Next and configure password policy, MFA, and account recovery method according to the requirements of your company.
Image loading...
- Proceed to the next step to configure the sign-up details. Here you define how users register in Cognito.
Image loading...
- Proceed to the next step and configure Cognito's message delivery settings.
Image loading...
Click Next to proceed to integration configuration details:
- Enter the user pool name
- Check Use the Cognito Hosted UI and enter the prefix for the sign-in domain
- Set the app type to Confidential client and enter its name
- Check Generate a client secret
- Paste the callback URL from Buddy's SSO settings in the Allowed callback URL
- In the advanced settings, set the following:
- Identity provider → Cognito user pool
- OAuth 2.0 grant type → Authorization code grant
- OpenID connect scopes → OpenID, Email
- In the Attribute read and write permissions ensure that email is set to 'Read' Hosted authentication pages
Image loading...
- Proceed to the next page and review the settings. If everything's okay, click Create new pool.
- Click the created pool to add the users.
When done, click the created integration in the user pool and do the following:
a. Copy Client ID and Client secret. You will need them in the next step. b. Ensure the allowed callback URL is the same as the callback URL in Buddy.
Image loading...
- Switch back to Buddy and fill the inputs with data from the top section:
- Client ID → the client ID of the created app
- Client secret → the client secret of the created app
- Issuer URL → the base URL of the AWS OIDC server (see below how to obtain it)
Image loading...
- Click Test the configuration and enable the SSO on success.
- Sign in to your AWS account to save the SSO configuration.
Creating Issuer URL
The issuer URL is not provided by AWS and needs to be created according to this rule:
https://cognito-idp.$ZONE.amazonaws.com/$POOLID
Where:
$ZONE
– the availability zone in which the user pool was added. Example:eu-north-1
$POOLID
– the User pool ID displayed on the pool's main page in AWS. Example:eu-north-1_WsvGfh1a9
Example issuer URL: https://cognito-idp.eu-north-1.amazonaws.com/eu-north-1_WsvGfh1a9
Image loading...
Learn more about single sign-on implementation and configuration in Buddy:
Last modified on Sep 23, 2024