Glad it helped!

Glad it was helpful! Please like, subscribe & share!! Thanks in advance.

Any time! 🙂

Glad it was helpful!

Glad it was helpful!

Glad it helped :)

Glad it was helpful!

I am sure there should be some way to pass the Okta roles in a SAML attribute and then map that to a custom Cognito userpool attribute. This custom attribute can be added in the Cognito's ID token.

@@securityinaction1018 I managed to do that just now, added "groups" attribute and included all the groups the user belongs to, and after that i am mapping it to custom Cognito User Pool attribute and that appears in the ID token. Is it possible for somehow to appear in the access token? Because i will have to use ID tokens to do my Authentication/Authorization, which "apparently" is not a good practice based on some people on the internet

I don't think that is possible at this point of time unless those groups are present in Cognito and users are added to those cognito groups.

@@AleksandarT10 Can you provide me the steps on how we can show okta groups in ID token. I'm not able to see it in the ID token. I have created a group in okta and assigned the user as well. In cognito I created the custom user attribute custom:appgroups and mapped it to okta group name admingroup. But still the group is not showing up

Please check the users tab in the Cognito user pool. If it doesn't show up, refresh the page.

I refreshed as Users have not got created, reaching out to you for your guidance. One more point, it created a group with UserPool Id_Okta Domain name without any user. @@securityinaction1018

That's surprising. Are you getting an ID token ? If so, a user profile should be present. But, I am not sure why it is not showing up even after refreshing. May be you can try opening the console in different browsers or incognito window.

Please refer this video which talks about authorization code grant flow using Okta kzbin.info/www/bejne/p2aZeqJpbtFmp8k

Cognito groups are already available in Access Token in "cognito:groups" claim. Refer this documentation for more details docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-access-token.html

@@securityinaction1018 I need to get the groups from okta, how to get the groups from okta within the access and ID token.

Refer support.okta.com/help/s/article/How-to-pass-a-user-s-group-membership-in-a-SAML-Assertion-from-Okta?language=en_US. I have not tried this. You can map the Okta SAML attribute that has group details to a custom attribute in Cognito user profile. This custom attribute will get added as a claim in the ID token, but not access token.

I will check keycloak and publish a video in future

I added a new video on how to configure Keycloak as SAML IdP in Cognito. kzbin.info/www/bejne/e3e3XmaKfLGbkNk

If I understand the question correctly, you want to authenticate both okta and cognito pool users using the same login form. If so, that is not possible because Okta profiles are stored within Okta user data store and similarly, Cognito users in Cognito's user data store. Federation is the best way to handle this.

Hi Dipak, refer this documentation for more details docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html#amazon-cognito-user-pools-using-tokens-aws-jwt-verify. It has all the details that you asked.

​@@securityinaction1018 As per video we don't set federation by clicking seperate link 'Federated Identities' in aws cognito service. Now I'm using 'aws-amplify' package where 'federatedSignIn' method required identity_id e.g. eu-north-1:8e2f0d8e-3014-41da-977b-7c7e28fba44a . How can I provide this ID by creating new federation it shows error 'unknown federation id'

I have not used amplify library. If you can point out to the exact documentation, I can take a look and let you know. Also, can you explain the requirement? Do you want to bypass the Cognito login page and redirect to the external IdP login page?