How to set up Okta as SAML IDP in AWS Cognito User Pool?

Question

I will want to use Okta as SAML 2.0 based IDP, AWS Cognito as service provider, and Cognito user pool to have federated IDP configuration.

I have followed all the steps mentioned in AWS sites listed below -

• https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp.html
• https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-integrating-3rd-party-saml-providers.html
• https://aws.amazon.com/blogs/mobile/amazon-cognito-user-pools-supports-federation-with-saml

Okta does not provide any support or documentation - https://support.okta.com/help/answers?id=9062A000000QucAQAS&feedtype=SINGLE_QUESTION_DETAIL&dc=xSAML&criteria=OPENQUESTIONS& .

Please note that I have tried Okta as IDP, established trust with AWS IAM, and using Okta user logs in to my AWS account. This works fine following the detailed documentation provided by Okta. However, my need is different wherein I would like to use Okta as SAML IDP in my AWS cognito user pool.

Any detailed documentation containing configurations to be done at both ends i.e. AWS and Okta, will be helpful.

Answer 1

I did setup Okta with Cognito through SAML with the following:

Okta side:

• Single sign on URL will be your cognito SAML endpoint in the form of: https://<yourDomainPrefix>.auth.<region>.amazoncognito.com/saml2/idpresponse (see under your user pool, "App integration" -> "Domain name" for the first part of the URL).
• Audience URI (SP Entity ID) will be the URN of your cognito user pool: urn:amazon:cognito:sp:<yourUserPoolID> (see your user pool "General Settings" for that pool ID).
• Attribute statements, you want to add whatever attribute you set as mandatory in your pool, in my case it was email.

Cognito side - User pool:

• Federation -> Identity providers: Choose SAML and import the metadata.xml from Okta.
• get to your App client settings, under App integration and enable the newly created IDP

Cognito side - Identity pool:

• Under authentication providers, SAML tab, you'll be able to check the Okta provider checkbox as you mentioned that you already have it as a trusted provider under IAM.

That should be about it. Resources that were of help: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp.html

EDIT: It seems that clarification was required on the Audience URI/Audience Restriction Okta setting. As Julien below mentioned is in the form of urn:amazon:cognito:sp:region_randomid (ie. urn:amazon:cognito:sp:eu-west-1_SdsSdwSD3e), you don't need to add yourself the region.