AWS Cognito - create groups from ADFS as Cognito Groups

Question

An app is communicating via the Open ID Connect protocol with AWS Cognito, which is connected to ADFS, communicating via SAML. Cognito is e

Answer 1

How to setup ADFS with Cognito is documented in this link. The section answering your question is the mapping in step 4, item 5. I'm copying the relevant text below:

Choose Attribute mapping. These mappings map the claims from the SAML assertion from AD FS to the user pool attributes.

Make sure that ADFS is sending the groups in the assertions. For setting up the ADFS side for groups this link might be useful.

You could debug the flow with SAML-tracer plugin in Firefox.

Answer 2

I had the same issue, and I have not found a static mapping option in Cognito either.

The only way I see is to map the AD groups to custom:adgroups attribute in Cognito, and set up a Cognito "Pre Token Generation" lambda trigger. The lambda reads the value of the custom:adgroups and manually overrides the user's Cognito groups.

NB - this does not change the cognito user's group permanently, only for the current session, but from the application perspective that's exactly what I needed.

Please see a dummy static (non conditional) ADMIN group assignment example here:

def lambda_handler(event, context):
print(f'incoming event: {json.dumps(event)}')

# manual cognito group override
if event['triggerSource'] == "TokenGeneration_HostedAuth":
    event['response'] = {
            "claimsOverrideDetails": {
                "groupOverrideDetails": {
                    "groupsToOverride": [
                        "ADMIN"
                    ]
                }
            }
        }

return event

More detailed documentation here: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html