Amazon Cognito is almost an integral part of an AWS cloud architecture. The integration in several AWS services is really great. But many enterprise companies maintain their user identities in Azure AD.
In this blog post I explain how you can use Azure AD B2C as identity provider for Amazon Cognito. This requires some steps, so it is a step-by-step guide.
With Amazon Cognito you can provision a hosted UI for the authentication. The hosted UI is the foundation for other features such as the ability to sign in directly to your user pool through OpenID Connect (OIDC) and SAML identity providers.
- Select an existing user pool or create a new one
- Go to General settings -> App clients -> Add an app client
- Give your app client a name
- Deselect the option Generate client secret
- Create the app client and note the App client ID
- Go to App integration -> Domain name
- Enter an available domain prefix and make a note of the complete address
Next we have to switch to the Azure Portal to register a new web application in Azure Active Directory B2C.
- Go to Manage -> App registrations and create a New registration
- Give your app a name
- Choose a supported account type
- Enter your Amazon Cognito hosted UI domain name and append
/oauth2/idpresponse. For example
- Go to Manage -> Certificates & secrets
- Create a New client secret, choose Expires: Never and make a note of the secret value
- Switch to the Overview and make a note of the Application (client) ID and the Directory (tenant) ID
Back to Amazon Cognito. In this step I add an OIDC identity provider to the User Pool and create the attribute mapping. For this we need the notes from the previous step.
Go to Federation -> Identity providers and choose OpenID Connect
|Provider name||A name of your choice|
|Client ID||Azure AD Application (client) ID|
|Client secret||Azure AD client secret|
|Attributes request method||
- Go to Federation -> Attribute mapping
- Choose OIDC and select your identity provider
- Create a mapping between the OIDC attribute and the User pool attribute
|OIDC attribute||User pool attribute|
|username||Preferred User Name|
- Go to App integration -> App client settings
- Select your identity provider as one of the Enabled Identity Providers
- Enter a callback URL for the authorization server to redirect after users are authenticated
- Enter a sign out URL
- Select Authorization code grant
- Select the
aws.cognito.signin.user.admincheck boxes for the Allowed OAuth scopes
If you have any kind of feedback, suggestions or ideas - feel free to comment this post!