Menu
I've been using SAML identity federation on my Userpool which has a hosted SignIn page. I configured both the Azure Active Directory and cognito userpool so I can log in with an AD user. I have added multiple SAML providers similar manner and that works without an issue. The problem occurs when I use Identifiers attribute which is used to login to the corresponding IDP by extracting the domain name from the email. I followed this documentation. This is how it looks in the AWS console.
Now when I try to login with an AD user email it gives me Login not allowed error. It worked well when I don't use this identifiers optional parameter.
Can someone help me to resolve this issue?
681
Launch the hosted web UIIn the Amazon Cognito console, choose Manage user pools, and then choose your user pool. In the left navigation pane, under App integration, choose App client settings. Under Hosted UI, choose Launch Hosted UI. The sign-in page of the hosted web UI opens in a new browser tab or window.
To customize UI settings for all app clients, locate Hosted UI customization and select Edit. To customize UI settings for one app client, locate App clients and select the app client you wish to modify, then locate Hosted UI customization and select Edit.
Amazon Cognito identity pools provide temporary AWS credentials for users who are guests (unauthenticated) and for users who have been authenticated and received a token. An identity pool is a store of user identity data specific to your account.
An identifier uniquely resolves to an identity provider (IdP) associated with your user pool. Typically, each identifier corresponds to an organization domain that the SAML IdP represents. For a multi-tenant app that multiple organizations share, you can use identifiers to redirect users to the correct IdP.
Apparently "Identifiers" parameter has some connection with user-pool "General Settings -> Policies". You need to select "Allow users to sign themselves up" option for IDP identifiers to work.
Although this worked when you enable sign up option there will be a link to signup on the hosted page.
In my case, I do not want users to sign themselves up. However, this is some progress.
161
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
