Skip to main content
Skip table of contents

AWS Cognito

1_ZjS_BtHvohZJc6lqHOsdJw-1.png

User Pool Instructions

Create or use an existing user pool.

Create an App client under Applications > App clients.

  • Select “Traditional web application”.

  • Give the application a friendly name.

  • Skip the Return URL, add this later once the Cloud SSO record is created.

  • Click “Create app client”.

Ensure that you have a domain set up (either a free Cognito domain or a Custom domain) under Branding > Domain.

Configuration Values

Obtain configuration values for Cloud SSO from the following places:

  • Discovery Domain: In the user pool, go to Overview, then copy the Token signing key URL and paste it into the Discovery Domain field, then press “Discover…”

  • Authorization URL: Should be auto-populated from the discovery document. Or, manually enter the value https://<YOUR_DOMAIN>/oauth2/authorize

  • Token URL: Should be auto-populated from the discovery document. Or, manually enter the value https://<YOUR_DOMAIN>/oauth2/token

  • Userinfo URL: Should be auto-populated from the discovery document. Or, manually enter the value https://<YOUR_DOMAIN>/oauth2/userinfo

  • Issuer: Should be auto-populated from the discovery document. Or, to obtain the Issuer manually, use the Token signing key URL from before but remove this section from the end: /.well-known/jwks.json The URL is constructed from the following format: https://cognito-idp.<AWS_REGION_KEY>.amazonaws.com/<USER_POOL_ID>

  • Scopes: Enter this value exactly: openid profile email

  • Client ID: In Applications > App clients > Select the app client for Cloud SSO, then copy the Client ID value.

  • Client Secret: In Applications > App clients > Select the app client for Cloud SSO, then copy the Client secret value.

  • Enable PKCE: On

  • Enable Response Mode Form Post: Off

  • Enable Token Endpoint Basic Auth: Off

Once saved, go back and edit the directory record, and copy the Return URL value.

In Cognito, under Applications > App clients > Select the app client for Cloud SSO > Login pages, in the Managed login pages configuration box click Edit.

Add the Redirect URL you copied to the Allowed callback URLs section, then press Save changes.

Claims Mapping

Map the following claims:

Field

Claim Name

Location

External ID

sub

Access Token

Username

email

ID Token

Email

email

ID Token

First Name

given_name

ID Token

Last Name

family_name

ID Token

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close