Followed this article Azure AD SSO AWS Cognito, created user pool in AWS Cognito and Enterprise application in Azure.
Clicked 'Test single sign on' in SSO, logged in with the user I have added and I am getting error "Required String parameter 'RelayState' is not present" after it redirects to this following url https://domainname.auth.us-east-1.amazoncognito.com/error?null. When I logged in with invalid user, received message 'User is not assigned to a role for the application' which is correct.
Anything I am missing here. Please help.
If you did everything right, then you should trigger the login from cognito
Related
I’m trying to connect a user pool in my AWS Cognito instance to Auth0 following the instructions in the How do I set up Auth0 as a SAML identity provider with an Amazon Cognito user pool? article.
When I click Debug from the Addon: SAML2 Web App section with the following settings…
Application Callback URL: https://{amazonCognitoDomain}.auth.{awsRegion}.amazoncognito.com/saml2/idpresponse
Settings
{
"audience": "urn:amazon:cognito:sp:{cognitopoolId}",
"mappings": {
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
},
"nameIdentifierFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
}
… I’m taken to the following URL
https://{subDomain}.auth0.com/login?state={someState}&client={auth0ClientId}&protocol=samlp&response_type=code&redirect_uri=https%3A%2F%2Fmanage.auth0.com%2Ftester%2Fsamlp
Which gives me this:
Opening the console I can see the error reported is…
At least one email, sms or social connection needs to be available.
I’ve also tried saving the settings and continuing on with the instructions in the article but got this same error when testing from Cognito.
I have one database connection enabled (see below) under the application’s Connections tab (which should store the email) and both the social and sms options are disabled.
Any help is very much appreciated!!
You must configure an authentication source (a connection in Auth0).
You're configuring Cognito as a SAML SP and Auth0 as the IdP. Auth0 needs to be configured to authenticate users in some way.
If you are using your own database you need to ensure you are handling authentication through hooks (action scripts).
I have an Android app and an API secured with Auth0.
I'm developing an app for a new client, who has a large Cognito user pool.
Is it possible to use my current Auth0 setup to log in Cognito users via email/password and receive a Auth0 JWT?
I don't want to create a new Auth0 user for each Cognito user. At least not explicitly.
Thanks
If I understand you correctly, you want to use Auth0 as a service provider and AWS Cognito as an identity provider. In theory, you can use SAML protocol to achieve that. Try the following:
Configure Auth0 as SAML service provider. https://auth0.com/docs/protocols/saml/saml-sp-generic
Configure AWS Cognito AS Identity provider: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managing-saml-idp-console.html
Then, once you initiate the login flow in auth0, users will be redirected to AWS Cognito for user authentication. After successful user authentication, AWS should redirect the user Auth0 with SAML Assertion. In that stage, Auth0 will validate the assertion and will issue a JWT token. The user will be redirected to your application with JWT. Note that if this is the first login, auth0 will create a user profile.
https://auth0.com/docs/protocols/saml
The following AWS documentation explains how to configure auth0 as IDP.
https://aws.amazon.com/premiumsupport/knowledge-center/auth0-saml-cognito-user-pool/
I have created a user pool and setup domain with app client settings () to host sign up and sign in pages in the cognito itself. When I tried using the url similar to -
https://myDomain.auth.us-east-1.amazoncognito.com/login?response_type=code&client_id=fkjfkasjfkasjfdweinfskfsfsfnk&redirect_uri=https://google.com
in the browser I am redirected to
https://myDomain.auth.us-east-1.amazoncognito.com/error?error=invalid_request#
Note: I tried using Cognito User Pool and Facebook identity providers without OAuth2 enabled.
Am I missing something?
It works for me with following User Pool settings.
App integration
App client settings
Enabled Identity Providers
☑ Facebook ☑ Cognito User Pool
Callback URL(s)
https://google.com
OAuth 2.0
Allowed OAuth Flows
☑ Authorization code grant ☐ Implicit grant ☐ Client credentials
Allowed OAuth Scopes
☐ phone ☐ email ☑ openid ☐ aws.cognito.signin.user.admin ☐ profile
You're doing everything correct from what you've describe, but you should check the following,
Have you added https://google.com in App Client Setting as Callback URL?
Have you checked your Identity Provider in Enabled Identity Providers?
In Allowed OAuth Flows, you must have checked "Authorization Code Grant".
In my case it was a required attribute (Name) that was set to Mutable: False.
After login user was prompted to reset their temporary password and set the name.
On form submission, An error was encountered with the requested page error appeared.
Making the Name attribute editable fixed the issue.
Enable Authorization code grant under Allowed OAuth Flows in the AppClientSettngs tab
Change the redirect_uri like
https://myDomain.auth.us-east-1.amazoncognito.com/login?response_type=code&client_id=fkjfkasjfkasjfdweinfskfsfsfnk&redirect_uri=https://myDomain.auth.us-east-1.amazoncognito.com
This worked for me
I've been trying to use the authenticated code provided from Auth0 and AWS Cognito to authenticate a user but when I go to the AWS Cognito Console dashboard I see no identities have been created.
Logic flow should be this: I get my JWT from Auth0 when a user logs in and I use that to get my AWS Cognito Credentials - I use the following code:
CognitoAWSCredentials credentials = new CognitoAWSCredentials (
"us-east-1:11047a24-xxxx-xxxx-xxxx-111111111", // Identity Pool ID
Amazon.RegionEndpoint.USEast1); // Region
credentials.AddLogin("stef.auth0.com", id_token1); //id_token1 from Auth0
I did input the JWT (id_token1) into jwt.io to check the validity of it and it comes back VALID SIGNATURE when I add the Auth0 Client Secret. I am not able to see any errors when I run the code. I am using Xamarin C#. I did all the necessary setup with configuring the provider, setting up the default IAM roles for Cognito Auth/UnAuth. Put in the correct Auth0 client ID into AWS, etc... I can however add an Unauthenticated user but not an Authenticated user.
Am I using the wrong code here? Can someone point me in the right direction please?
Thank you for looking!
In my case there is already an existing tenant of an organization. We are supposed to use that AAD tenant for authentication purpose since it already has the users needed to authenticate. Howeever I do not have the Global admin rights on that AAD tenant. I can create an application on that AAD tenant. I have also created a website that uses that AAD tenant to authenticate. When I run the website in browser, it redirects to a login page. I am able to authenticate myself of that AAD tenant and can see the home page of the website. But, when my colleagues try ot login using the same url for the website, it redirects to a login page, however when they enter username and password it gives the following error:
"AADSTS90093: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators."
Kindly suggest a solution for the issue.
Note: I am using VS 2013 for this project.
#Juan: Finally figured out the solution. You need to request the global administrator of the Azure AD to enable WS Federation for your application on the respective AD tenant.