How to proceed with AD FS SAML for AWS Cognito?

南楼画角 提交于 2021-02-07 22:23:09

问题


I am setting up AD FS to generate metadata for SAML to connect to AWS Cognito User pools. I already generated the xml metadata and uploaded it to the User pool. Should I create Trust relays on AD FS site? Is there any other steps to make my AD users available for web app sign in?


回答1:


For ADFS 2.0 here are the steps:

  1. Go to “Trust Relationships” -> “Relying Party Trusts” -> “Add relying party trusts”. This will start a wizard.
  2. Select the option “Enter data about the relying party manually”.
  3. Enter a display name.
  4. Select ADFS 2.0
  5. On the next screen. Do not configure a certificate.
  6. Enable support for “SAML 2.0 SSO service URL”
  7. Add the relying party trust identifier which will be “urn:amazon:cognito:sp:”
  8. Select “Permit all users to access this relying party”
  9. Click Finish.

Now you will see your configured Relying Party Trust on the list. The trust has been established, but we still need to setup what claims are sent when users authenticate using this Relying Party. Right click on the Relying Party trust and click “Edit Claim Rules”

  1. Select a claim rule name
  2. Attribute store can be Active Directory if your users are in Active Directory
  3. Map a LDAP Attribute (e.g E-Mail-Address) to Outgoing Claim Type (e.g Email)

The configuration on Cognito side is very simple where you just upload the metadata.xml or provide a URL where the metadata.xml is hosted.

If you are using the URL, then we do periodically pull the latest cert.



来源:https://stackoverflow.com/questions/47655162/how-to-proceed-with-ad-fs-saml-for-aws-cognito

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!