I’m trying to connect a user pool in my AWS Cognito instance to Auth0 following the instructions in the How do I set up Auth0 as a SAML identity provider with an Amazon Cognito user pool? article.
When I click Debug from the Addon: SAML2 Web App section with the following settings…
Application Callback URL: https://{amazonCognitoDomain}.auth.{awsRegion}.amazoncognito.com/saml2/idpresponse
Settings
{
"audience": "urn:amazon:cognito:sp:{cognitopoolId}",
"mappings": {
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
},
"nameIdentifierFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
}
… I’m taken to the following URL
https://{subDomain}.auth0.com/login?state={someState}&client={auth0ClientId}&protocol=samlp&response_type=code&redirect_uri=https%3A%2F%2Fmanage.auth0.com%2Ftester%2Fsamlp
Which gives me this:
Opening the console I can see the error reported is…
At least one email, sms or social connection needs to be available.
I’ve also tried saving the settings and continuing on with the instructions in the article but got this same error when testing from Cognito.
I have one database connection enabled (see below) under the application’s Connections tab (which should store the email) and both the social and sms options are disabled.
Any help is very much appreciated!!
You must configure an authentication source (a connection in Auth0).
You're configuring Cognito as a SAML SP and Auth0 as the IdP. Auth0 needs to be configured to authenticate users in some way.
If you are using your own database you need to ensure you are handling authentication through hooks (action scripts).
Related
I have Auth0 as SAML IdP, connected to an AWS Cognito User Pool used as Service Provider (SP).
Login works fine, but I am having trouble getting Auth0's SAML logout callback to fire at all.
I've followed the guide found here: https://auth0.com/docs/authenticate/login/logout/log-users-out-of-saml-idps#configure-slo-when-auth0-is-the-saml-idp
So far, I have configured a random URL hosted in AWS API Gateway, set up to log all incoming data so I can investigate further usage and payload. I have yet to get any data within this log. FYI, I have tested the endpoint using other means and it is working properly, logging all requests.
Should that work?
Does it have to match the Application's allowed logout URLs for it to work?
Should it be triggered when I call my logout endpoint with client_id properly defined (https://<account>.auth0.com/v2/logout?federated&client_id=XXX)?
What am I missing?
Thanks in advance.
PS: Question originally posted at https://community.auth0.com/t/when-is-the-saml-logout-callback-invoked-with-auth0-as-the-saml-idp/94504
We're developing a website with AWS Amplify that uses Cognito to handle the authentication. I've configured the user pool in Cognito to use Keycloak as the OIDC IDP. The basics of logging in and out are all working as desired.
I now want to get more information back from Keycloak into the Amplify app. If I use https://openidconnect.net/ as a test point for authenticating to Keycloak as if it was Cognito, I can decode the JWT in https://jwt.io and see the additional information I'm after.
In Cognito, in General Settings > Attributes, I've added a custom attribute "groups":
In General settings > App clients, I've marked that attribute as readable:
Under Federation > Attribute mapping, I've mapped the OIDC attribute to the User pool attribute:
but, when I authenticate in the web application and dump the payloads for the ID and access tokens, I cannot see the "custom:groups" attribute.
What am I missing or misunderstanding here?
Thanks.
is it possible to use AWS Cognito that has a custom authentication flow enabled, while also using an external identity provider like Facebook or Google? I've tried this with Facebook and the Cognito Hosted UI, but my DefineAuthChallenge-trigger was not hit.
I contacted AWS Support and they pointed me to the Cognito documentation here where a note says that
The Amazon Cognito hosted sign-in web page does not support the custom authentication flow.
As an alternative, this solution was proposed:
Alternatively, if you would like to use custom authentication flow with an external identity provider, you will have to write your own custom login flow using one of Cognito's SDKs and use Facebook as a way of login.
My idea is that you can probably do this by defining a custom challenge, that asks, which identity provider you want to use, as the first, initial challenge. If Cognito is chosen, the user needs to provide their SRP-stuff or username and password, if that is enabled. If Facebook is chosen for example, you would probably need to send an auth challenge to the client saying that you want a token or code from them, which can only be gotten, if the client shows the website with the Facebook login. The challenge response to the server would then be the gotten auth token from Facebook or code or some other answer that the server can then use to authenticate the user within Cognito, where the Facebook app is connected and is registered as an external identity provider
This is my idea of how I would go about to do this, but I haven't actually implemented this. I hope this helps someone trying to do this though.
I need to login users via Instagram for my mobile application so I can make calls to Instagram API and get some information from the Instagram. Simply, my application will ask user to authorize Instagram access and able to get access token for API calls. Application should not ask user to login again once the user is authorized. I already setup my Instagram client-app to implement server-side authentication flow.
My challenge is I want to do this on by using AWS mobile services. I already setup custom authentication from MobileHub and came to point where I need to define my custom authentication flow (in this case it is Instagram authentication flow). Under AWS Cognito app when I go to Triggers tab, I see different options for defining lambda functions associated with my authentication (such as pre/post auth or define / create / verify auth challenge). I am not sure how to align Instagram Authentication flow with these functions. Or should I use something else. Also I am not clear how does AWS Cognito manages authentication flow: I don't want my users to go through authorization process every time they start my application. I believe AWS Cognito link users from my custom flow to some Cognito identity and able to authenticate when they use my application. I really appreciate any suggestions, or even code sample (if available).
Check this Document for Cognito Identity. Instagram is not there by default. So you have to use External Identity Provider, most probably using Open ID Connect Providers.
We have an app in Azure AD that uses the Microsoft Graph API. The app is working successfully using 4 basic permissions: email, profile User.Read User.ReadBasic.All
These permissions let normal users(non-admins) OAuth authenticate into our app.
We are now building a feature for admin users that lets them see their groups. The groups scope requires admin consent as per: http://graph.microsoft.io/en-us/docs/authorization/permission_scopes
The sticky point is that if I add the Group.Read.All permission under delegated permissions in Azure AD, this causes normal users to be able to login with the dreaded error "AADSTS90093: Calling principal cannot consent due to lack of permissions".
I have tried manually crafting OAuth authorize urls that explicitly request the scope, but that did not work either. Here is a sample url I used:
https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&redirect_uri=https%3A%2F%2Fl.xxxxxx.com%3A50000%2Fauth%2Fmicrosoft_graph%2Fcallback&client_id=xxxxxx-xxx-xxx-xxx-xxxx&scope=https%3A%2F%2Fgraph.microsoft.com%2Femail%20https%3A%2F%2Fgraph.microsoft.com%2Fprofile%20https%3A%2F%2Fgraph.microsoft.com%2FUser.Read%20https%3A%2F%2Fgraph.microsoft.com%2FUser.ReadBasic.All%20https%3A%2F%2Fgraph.microsoft.com%2FGroup.Read.All
How can I require basic permissions for all users but have admins request additional permissions later on in the application?
Some resources I've already reviewed to no avail:
http://www.mikepackdev.com/blog_posts/2-Dynamically-Requesting-Facebook-Permissions-with-OmniAuth
https://azure.microsoft.com/en-us/documentation/samples/active-directory-dotnet-webapp-openidconnect-v2/
Switching between web and touch interfaces on Facebook login using Omniauth and Rails 3
https://github.com/zquestz/omniauth-google-oauth2/issues/143
https://azure.microsoft.com/en-us/documentation/articles/active-directory-protocols-oauth-code/
https://github.com/Azure/azure-content/blob/master/articles/active-directory/active-directory-devhowto-multi-tenant-overview.md
The Azure AD V2.0 endpoint already support incremental and dynamic consent. You can register the app to use Azure AD V2.0 authentication endpoint from here.
We can provide two buttons for normal users and admin to login in. Here are the steps using V2.0 endpoint for normal users to login for your reference:
1.sign in and get OAuth Code:
GET: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={clientId}&scope=openid%20https%3A%2F%2Fgraph.microsoft.com%2FMail.ReadWrite%20https%3A%2F%2Fgraph.microsoft.com%2FUser.ReadBasic.All%20https%3A%2F%2Fgraph.microsoft.com%2FUser.Read&response_type=code+id_token&&redirect_uri={redirectUri}&nonce=678910
2.Request for the Access token
POST: https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id={clientId}&scope=openid%20https%3A%2F%2Fgraph.microsoft.com%2FMail.ReadWrite%20https%3A%2F%2Fgraph.microsoft.com%2FUser.ReadBasic.All%20https%3A%2F%2Fgraph.microsoft.com%2FUser.Read
&code={codeFromPreviousRequest}&redirect_uri={RedirectUri}&grant_type=authorization_code&client_secret={client_secret}
And for the admin to login in, we just add the additional scope with above request. Here are some helpful articles about this topic:
What's different about the v2.0 endpoint?
v2.0 Protocols - OpenID Connect
v2.0 Protocols - OAuth 2.0 Authorization Code Flow