Set Up Amazon Cognito for Federated Authentication Using Azure AD

Purpose

This guide outlines the key steps to configure AWS Cognito to use Azure AD as a federated identity provider for authenticating users.

 

Audience

• IT Staff
• Admins

Considerations

• SAML Attribute Mapping Pitfalls: Even if authentication works, incorrect attribute mapping can cause user access issues. Ensure that Azure AD is sending attributes in the format Cognito expects (e.g., email vs. user.email). Test with different user roles to verify claims are mapped correctly.
• Session Management & Token Expiry: AWS Cognito has default token expiration settings (ID, access, and refresh tokens) that may not align with Azure AD’s session policies. Misalignment can cause unexpected logouts or authentication failures, especially in long-lived sessions or mobile applications.
• Troubleshooting Federated Login Issues: If authentication fails, debugging SAML responses is critical. Use browser developer tools or a SAML-tracing tool to inspect the SAML assertion payload, validate the Issuer and Audience fields, and check for missing attributes. Azure AD sign-in logs and AWS CloudTrail can also provide insights into failed login attempts.

Table of Contents

• Step 1: Configure AWS Cognito
  
  
  1. Create a User Pool
  2. Configure Domain
  3. Create an App Client
     
     
• Step 2: Configure Azure AD
  
  
  1. Create an Enterprise Application
  2. Configure SAML
  3. Federation Metadata
  4. Map Attributes
     
     
• Step 3: Link Azure AD to Cognito
  
  
  1. Add Identity Provider
  2. Enable Identity Provider
     
     
• Step 4: Configure SSO Credentials in Portal (db)
  
  
  1. Collect Information
  2. Insert fields in companies collection, in desired company record

Instructions / How to

Step 1: Configure AWS Cognito

 

1. Create a User Pool:

• • • • Go to AWS Cognito > User Pools.
      • Select Traditional web application as Application type option.
      • Select Email for the Options for sign-in identifiers option.
      • Select Email for the Required attributes for sign-up option.
      • Enter PORTAL_BASE_URL/auth-callback in Add a return URL (i.e. https://dev-woundcare.com/callback)

 

• • • • Copy the User Pool ID (e.g., us-east-2_XaHC0UF3k ) for later use and format it as urn:amazon:cognito:sp:<user-pool-id>. For Example, it becomes urn:amazon:cognito:sp:us-east-2_XaHC0UF3k.

 

2. Configure Domain:

• • • • Navigate to User Pool > Branding > Domain from the sidebar.
      • Copy the domain under Cognito domain (e.g., https://us-east-2xahc0uf3k.auth.us-east-2.amazoncognito.com).
      • This URL will serve as the Reply URL when configuring Azure AD as follows:

        • DOMAIN/saml2/idpresponse

        • For example: https://us-east-2xahc0uf3k.auth.us-east-2.amazoncognito.com/saml2/idpresponse.

 

3. Create an App Client:

• • • • Go to App Clients.
      • Select Traditional web application as Application type option.
      • Enter PORTAL_BASE_URL/auth-callback in Add a return URL (i.e. https://dev-woundcare.com/callback)
      • Confidential app client to generate a client secret.

 

Step 2: Configure Azure AD

 

1. Create an Enterprise Application:

• • • • Log in to the (https://portal.azure.com) Azure Portal > Enterprise Applications.

• • • • Go to New Application
      • Create a new application and name it  (e.g., "Cognito SSO").
      • Select "Integrate any other application" and create.

 

2. Configure SAML:

• • • • Select Single Sign-on > SAML.

• • • • Edit the basic SAML Configuration:
        • • Identifier (Entity ID): Use the Cognito user pool ID in the format: urn:amazon:cognito:sp:<user-pool-id> (from Step 1.1)
          • Reply URL: Use the Cognito domain URL from Step 1.2
      • Save changes.

 

3. Federation Metadata:

• • • • Copy the App Federation Metadata URL or download the XML file.
      • This metadata will be uploaded to Cognito.

 

4. Map Attributes:

• • • • Edit Attributes and Claims.
      • Map desired claims and note the claim URL for later use.

 

Step 3: Link Azure AD to Cognito

 

1. Add Identity Provider:

• • • • Go to the Cognito user pool > Authentication > Social and external providers > Add identity provider.
      • Select SAML.
      • Provide a name (e.g., AzureAD).
      • Upload the Azure metadata URL from Step 2.3
      • Map attributes (e.g., map Azure's email claim to Cognito's email attribute).

 

2. Enable Identity Provider:

• • • • In App Clients > App Client > Login pages.
      • Click Edit button on left side of Managed login pages configuration.
      • Select the provider you added e.g., Cognito SSO
      • In OAuth 2.0 grant types, select Implicit grant.
      • In OpenID Connect scopes select Email, OpenID and Profile.

 

Step 4: Configure SSO Credentials in Portal (db)

 

1. Collect Information:

a. Go to Amazon Cognito > User Pools > [user pool] > App Clients

i. Copy Client ID

ii. Copy Client secret

b. In Quick setup guide (there will be example code below) and look for issuerURL 

i. Copy issuerURL

1. e.g. issuerURL = "https://cognito-idp.us-east-2.amazonaws.com/us-east-2_XaHC0UF3k"

2. Insert these fields in companies collection, in desired company record:

"aws_sso_credentials": {
    "app_client_id": "<From Step 4.a.i>",
    "app_client_secret": "<Form Step 4.a.ii>",
    "issuer_url": "<From Step 4.b.i>"
  }
Example:

"aws_sso_credentials": {     "app_client_id": "1bescfgpcesikes0fnr37d6d83",     "app_client_secret": "ssthl2tak2mnvekuv2gdav2a0pcml2cob9gv3tmst8afm8v379v",     "issuer_url": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_tyhNhw1ew"   }

 

This completes the configuration of Amazon Cognito with Azure AD for federated authentication.

 

 

Our support team is available to help with any questions or concerns at support@doctornow.io

© 2025 DocNow. All rights reserved. Unauthorized reproduction, distribution, or use of this content is prohibited.