Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS Cognito - create groups from ADFS as Cognito Groups

An app is communicating via the Open ID Connect protocol with AWS Cognito, which is connected to ADFS, communicating via SAML. Cognito is essentially "proxying" the ADFS server.

ADFS holds a group mapping that the app requires, and I would like to import these groups into Cognito as actual Cognito Group - which will then be read by the app from the cognito:groups from the ID-token Cognito provides.

In the AWS Cognito User Pool setup, I don't see a way to map ADFS groups to Cognito Groups - must I absolutely rely on a custom attribute for my User Pool that I can map to the ADFS-property, or am I missing some piece of configuration that allows Cognito to create new groups on the fly and automatically assign the users to the groups in Cognito?

edit: To clarify, Is it possible to setup Cognito to add/create groups (not as a custom property, but a actual manageable cognito groups) when it imports users?

like image 714
Tobias Roland Avatar asked Mar 19 '19 11:03

Tobias Roland


People also ask

How many groups can be created in Cognito?

Each user pool can contain up to 25 groups. Additionally, you can add users and remove users from groups within a user pool, and you can use groups to control permissions to access your resources in AWS by assigning an AWS IAM roles for the groups.

What is the difference between user pool and identity pool?

With a user pool, your app users can sign in through the user pool or federate through a third-party identity provider (IdP). Identity pools are for authorization (access control). You can use identity pools to create unique identities for users and give them access to other AWS services.

Can Cognito be an IdP?

However, a Cognito user pool is its own IdP. If an identity pool is configured correctly, it can use the app's user pools as an IdP. This way, users authenticate via user pools and are assigned IAM roles via identity pools.


1 Answers

I had the same issue, and I have not found a static mapping option in Cognito either.

The only way I see is to map the AD groups to custom:adgroups attribute in Cognito, and set up a Cognito "Pre Token Generation" lambda trigger. The lambda reads the value of the custom:adgroups and manually overrides the user's Cognito groups.

NB - this does not change the cognito user's group permanently, only for the current session, but from the application perspective that's exactly what I needed.

Please see a dummy static (non conditional) ADMIN group assignment example here:

def lambda_handler(event, context):
print(f'incoming event: {json.dumps(event)}')

# manual cognito group override
if event['triggerSource'] == "TokenGeneration_HostedAuth":
    event['response'] = {
            "claimsOverrideDetails": {
                "groupOverrideDetails": {
                    "groupsToOverride": [
                        "ADMIN"
                    ]
                }
            }
        }

return event

More detailed documentation here: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html

like image 84
tibor Avatar answered Sep 18 '22 15:09

tibor