问题
I am setting up AD FS to generate metadata for SAML to connect to AWS Cognito User pools. I already generated the xml metadata and uploaded it to the User pool. Should I create Trust relays on AD FS site? Is there any other steps to make my AD users available for web app sign in?
回答1:
For ADFS 2.0 here are the steps:
- Go to “Trust Relationships” -> “Relying Party Trusts” -> “Add relying party trusts”. This will start a wizard.
- Select the option “Enter data about the relying party manually”.
- Enter a display name.
- Select ADFS 2.0
- On the next screen. Do not configure a certificate.
- Enable support for “SAML 2.0 SSO service URL”
- Add the relying party trust identifier which will be “urn:amazon:cognito:sp:”
- Select “Permit all users to access this relying party”
- Click Finish.
Now you will see your configured Relying Party Trust on the list. The trust has been established, but we still need to setup what claims are sent when users authenticate using this Relying Party. Right click on the Relying Party trust and click “Edit Claim Rules”
- Select a claim rule name
- Attribute store can be Active Directory if your users are in Active Directory
- Map a LDAP Attribute (e.g E-Mail-Address) to Outgoing Claim Type (e.g Email)
The configuration on Cognito side is very simple where you just upload the metadata.xml or provide a URL where the metadata.xml is hosted.
If you are using the URL, then we do periodically pull the latest cert.
来源:https://stackoverflow.com/questions/47655162/how-to-proceed-with-ad-fs-saml-for-aws-cognito