DEV Community

Cover image for How to use Azure AD B2C as IdP for Amazon Cognito
Daniel Bayerlein
Daniel Bayerlein

Posted on

How to use Azure AD B2C as IdP for Amazon Cognito

Amazon Cognito is almost an integral part of an AWS cloud architecture. The integration in several AWS services is really great. But many enterprise companies maintain their user identities in Azure AD.

In this blog post I explain how you can use Azure AD B2C as identity provider for Amazon Cognito. This requires some steps, so it is a step-by-step guide.

Configure Amazon Cognito Hosted UI

With Amazon Cognito you can provision a hosted UI for the authentication. The hosted UI is the foundation for other features such as the ability to sign in directly to your user pool through OpenID Connect (OIDC) and SAML identity providers.

Create an app client

  1. Select an existing user pool or create a new one
  2. Go to General settings -> App clients -> Add an app client
  3. Give your app client a name
  4. Deselect the option Generate client secret
  5. Create the app client and note the App client ID

Add an app client

📖 Documentation: Using the Hosted UI

Configure the hosted UI domain name

  1. Go to App integration -> Domain name
  2. Enter an available domain prefix and make a note of the complete address

Domain name

📖 Documentation: Configuring a Domain

App Registration with Azure AD B2C

Next we have to switch to the Azure Portal to register a new web application in Azure Active Directory B2C.

  1. Go to Manage -> App registrations and create a New registration
  2. Give your app a name
  3. Choose a supported account type
  4. Enter your Amazon Cognito hosted UI domain name and append /oauth2/idpresponse. For example https://domain-prefix.auth.eu-central-1.amazoncognito.com/oauth2/idpresponse
  5. Go to Manage -> Certificates & secrets
  6. Create a New client secret, choose Expires: Never and make a note of the secret value
  7. Switch to the Overview and make a note of the Application (client) ID and the Directory (tenant) ID

📖 Documentation: Register an application

Add an OpenID Connect Identity Provider to a User Pool

Back to Amazon Cognito. In this step I add an OIDC identity provider to the User Pool and create the attribute mapping. For this we need the notes from the previous step.

Add an Identity Provider

Go to Federation -> Identity providers and choose OpenID Connect

Name Value
Provider name A name of your choice
Client ID Azure AD Application (client) ID
Client secret Azure AD client secret
Attributes request method GET
Authorize scope profile email openid
Issuer https://login.microsoftonline.com/DIRECTORY-TENANT-ID/v2.0 Replace the DIRECTORY-TENANT-ID with the Azure AD Directory (tenant) ID

OpenID Connect

📖 Documentation: Adding OIDC Providers

OIDC Attribute mapping

  1. Go to Federation -> Attribute mapping
  2. Choose OIDC and select your identity provider
  3. Create a mapping between the OIDC attribute and the User pool attribute
OIDC attribute User pool attribute
name Name
username Preferred User Name
email Email
sub Username

Attribute mapping

📖 Documentation: Specifying Attribute Mappings

Configure the app client

  1. Go to App integration -> App client settings
  2. Select your identity provider as one of the Enabled Identity Providers
  3. Enter a callback URL for the authorization server to redirect after users are authenticated
  4. Enter a sign out URL
  5. Select Authorization code grant
  6. Select the email, openid, and aws.cognito.signin.user.admin check boxes for the Allowed OAuth scopes

App client settings

📖 Documentation: Add an App to Enable the Hosted Web UI


If you have any kind of feedback, suggestions or ideas - feel free to comment this post!

Discussion (8)

Collapse
virenderabbott1 profile image
Virender Choudhary

Hi Daniel, great article. It helped. A question for you as we are facing an issue. We have custom policies in B2C which renders the signup page. When we are using issuers as login.microsoftonline.com/DIRECTOR... Replace the DIRECTORY-TENANT-ID, the redirection takes to the AD login screen and NOT the B2C policy. Do you know how to tell AWS Cognito to redirect to the B2C login page? (Not AD)

Collapse
marcostreng profile image
Marco Streng • Edited

Hi @virenderabbott1 ,

I was struggling with the same issue. The issuer-url 'login.microsoftonline.com' always ends up in the AAD UI and not to AAD B2C UI (which we want to customize in our case).

After some exhausting hours and with the great help from the AWS Support we were able to find a solution. B2C works with its predefined "User Flows". This flows are nice and easy to setup, but do not provide all endpoints you need with OICD. And this is why you are forced to create custom policies in B2C.

You can follow this steps from the official documentation:

  1. Create custom policies: docs.microsoft.com/en-us/azure/act...

  2. Create the userinfo endpoint: docs.microsoft.com/en-us/azure/act...

  3. Configure Cognito: Beside the issuer url you also have to provide the four OICD endpoints: Authorization, Token, JWKS and Userinfo. All of this required endpoints can be found under YOURTENANT.b2clogin.com/YOURTENANT.... As you can see, the urls do not contain 'microsoftonline.com' anymore and end up on b2login.com instead. You also have to add 'offline_access' to the authorize scope in Cognitio (See: docs.microsoft.com/en-us/azure/act...)

If you want to use custom UI templates you can follow this instructions: docs.microsoft.com/en-us/azure/act...

Collapse
thomas_george profile image
Thomas George • Edited

This guy here is a life saver @marcostreng .Follow the steps mentioned above and make sure you add some more things.
1) Add the Application (client) ID of the web app that you created in azure AD B2C
to the authorization scope of oidc config in aws cognito

2) In the attribute mapping in aws cognito add
signInNames.emailAddress and map it to Email attribute of user pool

3) The issuer url should be in the following format
tenant-name.b2clogin.com/tenant-id...

And when you hit run discovery it will fail and you will get the option to add the oidc endpoints which you get from the url that @marcostreng mentioned ( tenant-name.b2clogin.com/tenant-na... ).

once you add all the corresponding endpoints then create the provider or update the provider and thats it it will work like a charm

Once again a big thanks to @marcostreng for helping me solve this.

Collapse
danielbayerlein profile image
Daniel Bayerlein Author

Hi Virender,

thank you for your feedback.
Please have a look at this docs.microsoft.com/en-us/azure/act.... If it works, I would be glad about a feedback.

Collapse
adrianflda profile image
Adrian Moreno • Edited

Hi Daniel, thanks for your article.
I am having this response: localhost:8000/callback/?error_des...

Could you help me with this??
Thanks

Collapse
markevans profile image
Mark Evans

thanks for this - saved me a lot of bother getting confused with all the various docs!

Collapse
ceceps profile image
Cecep Saefulloh

I try your seting today, bu I have a validation error on Cognito Form OpenID like this screenshoot.

Can you tell me how to solve this ?

Thanks before

Collapse
danielbayerlein profile image
Daniel Bayerlein Author

Hi Cecep, which screenshot are you referring to?