aws-samples/aws-cognito-java-desktop-app

How to achieve authentication using user pool saml federation

sivaramit14 opened this issue · 3 comments

I have created a user pool and app client. The app client has SAML federation and Cognito user pool selected as Enabled Identity Providers. I use java API to provide authentication to my application and have my own screens to login and register users. So i haven't hosted any UI in Cognito. My User Pool doesn't have any required attributes and only email attribute is mapped with the SAML.

Q1 : If am using SAML user pool federation, does it require Cognito hosted UI ?

Q2 : How can i perform authentication through java API with SAML Idp knowing the identifier value upfront from the users email address?

Q3 : And a typical user creation requires temp password for the user to reset as we use USER_SRP_AUTH flow, in this case how user pool determines which user to use which identity provider? How should i create a user in the user pool that should use SAML federation for authentication?

Q4 : Is it possible to pass the identifier value using java api as query param in the authentication request? One of the aws documentation asks to pass idp_identifier to the /authorize endpoint, Is this possible through java API?

Doc Ref : https://aws.amazon.com/blogs/mobile/amazon-cognito-user-pools-supports-federation-with-saml/

Thanks in advance

I will forward your questions to Cognito team and get back with the answers

Hi,

Here is the answers for your questions:
Q1 : If am using SAML user pool federation, does it require Cognito hosted UI ?

A1: No, you can build your own UI.

Q2 : How can i perform authentication through java API with SAML Idp knowing the identifier value upfront from the users email address?

A2: Don't understand the question.

Q3 : And a typical user creation requires temp password for the user to reset as we use USER_SRP_AUTH flow, in this case how user pool determines which user to use which identity provider? How should i create a user in the user pool that should use SAML federation for authentication?

A3: The CUP (Cognito User Pool) will automatically create the user once the user logins in the first time. You don't need to pre-create the user.

Q4 : Is it possible to pass the identifier value using java api as query param in the authentication request? One of the aws documentation asks to pass idp_identifier to the /authorize endpoint, Is this possible through java API?

A4: I believe the idp_identified in the /authorize url is for oauth2 authentication (https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html)
In this case oauth2 uses REST API to authenticate while SAML uses XML assertions.

Closing as solved.