Thank you for your explanation😊 I managed to make it work but with Cognito + Google Account as and OIDC iDP. P.S Since the cognito UI has changed maybe from new videos if you could use the new UI that would be more easier for newcomers
You are welcome!! I will surely look into this custom UI sign flow and try to post a video. Are you referring to Cogntio custom login page UI? Please like, subscribe & share!! Thanks in advance.
@@securityinaction1018 yes, and not. I'm referring to integrate a OAuth federated sign in experience using Google, or any other OIDC provider, and a custom UI (e.g. a React or Vue.js custom login page) using Cognito. In your example you used the hosted UI from Cognito.
Hi, I got to the point where I log in and I'm redirected to jwt where I can see the access token but I don't see the users being added to the userpool. How is that achieved? Thanks.
If you are getting the access token, id token and seeing the user details in jwt.io page, it would have surely created the user profile in Cognito user pool because these tokens won't get generated without a cognito user profile. Try refreshing the users tab in cognito user pool because sometimes it doesn't auto refresh.
You can pass the identity_provider parameter to /authorize endpoint as mentioned here docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html. If this value is passed, Cognito will not display the hosted UI login page. Instead, it will redirect to that IdP. Please like, subscribe & share!! Thanks in advance.
I have a user migrate lambda which during sign on adds a new user to the user pool using SAML authentication. The problem I am facing is the user which is added to the pool his username is the email using which he has logged in. But I want to map the username to some UUID like the sub attribute and don't want the username to be any user's personal data. I am able to do this with Google sign on but not with Okta SAML. Any suggestions
Please check this article support.okta.com/help/s/article/How-to-configure-a-required-SAML-Username-Attribute-when-Multiple-Okta-Username-Formats-are-being-used?language=en_US. In your case, try setting the "Application username format" to custom with a expression language of "user.getInternalProperty("id")". Refer to this article for EL developer.okta.com/docs/reference/okta-expression-language/#okta-user-profile
@securityinaction1018 Thanks for the information but the requirement I have this also is not working. And I am pretty new to AWS still learning. What I want is my JWT token created through pre-token lambda of cognito to have any Personal information of user. If my user pool contains username which is the email of the sign in users when ever the token is generated the username attribute will contain the email id. FYI I also have a google sign on and during that the username is getting mapped to sub attribute But for SAML and norrmal userid and password login its getting the username equal to the user email in cognito user pool Any pointers if you have which I can use will be helpful
You can suppress a specific claim in the JWT token using pretoken generation trigger docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html#aws-lambda-triggers-pre-token-generation-example-1. In this example, they are suppressing the email claim by passing attribute name list in "claimsToSuppress". You can try passing all the claim names that you want to remove from the JWT ID token.
You are right. I was not able to suppress that claim. Looks like it is a reserved attribute as per this document docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html.
You need to make some configuration changes in Okta and pass groups scope from Cognito to Okta. Please refer this document developer.okta.com/docs/guides/customize-tokens-groups-claim/main/ Please like, subscribe & share!! Thanks in advance.
Good question. The main purpose of this video is to demo how to add Okta as a OIDC IdP in AWS Cognito. I have posted two different videos on how to configure Authorization code grant flow using Cognito Without PKCE : th-cam.com/video/Ox7FuGpQrV8/w-d-xo.html With PKCE : th-cam.com/video/lWVmJ1CXzMo/w-d-xo.html
![ILLSLICK - KILLSHOT REMIX [FULL VERSION]](http://i.ytimg.com/vi/RIK8RrqIAzE/mqdefault.jpg)
Please subscribe to this channel for regular updates th-cam.com/channels/EEayyyCrJO94FYlzF0NLTg.html
Thank You for the support.
Hi
Can you tell how we can skip the step for cognito hoisted UI and directly redirects the user to okta sign in page ?
Thanks.
Thank you for your explanation😊
I managed to make it work but with Cognito + Google Account as and OIDC iDP.
P.S Since the cognito UI has changed maybe from new videos if you could use the new UI that would be more easier for newcomers
Welcome. I have another video for Cognito + Google. I used the new Cognito UI for this video. The old one is totally different.
@@securityinaction1018 which one?
I used google apis or google dev account with oAuth.
Please send me link
This is the video th-cam.com/video/7r0eBNBNEZ8/w-d-xo.html. This also uses Google dev account and OAuth. It might be same as what you did.
@@securityinaction1018 yes this is what I did,thank you I will cross check
Thanks so much for the lesson, but if possible do a tutorial using custom UI sign flow please
You are welcome!! I will surely look into this custom UI sign flow and try to post a video. Are you referring to Cogntio custom login page UI?
Please like, subscribe & share!! Thanks in advance.
@@securityinaction1018 yes, and not. I'm referring to integrate a OAuth federated sign in experience using Google, or any other OIDC provider, and a custom UI (e.g. a React or Vue.js custom login page) using Cognito. In your example you used the hosted UI from Cognito.
Hi, I got to the point where I log in and I'm redirected to jwt where I can see the access token but I don't see the users being added to the userpool. How is that achieved? Thanks.
If you are getting the access token, id token and seeing the user details in jwt.io page, it would have surely created the user profile in Cognito user pool because these tokens won't get generated without a cognito user profile. Try refreshing the users tab in cognito user pool because sometimes it doesn't auto refresh.
Can you tell how we can skip the step for cognito hoisted UI and directly redirects the user to okta sign in page ?
You can pass the identity_provider parameter to /authorize endpoint as mentioned here docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html. If this value is passed, Cognito will not display the hosted UI login page. Instead, it will redirect to that IdP.
Please like, subscribe & share!! Thanks in advance.
@@securityinaction1018 Thanks it worked
Thanks a lot !
ps: think to change your mouse or mic... ;)
You are welcome!! Working on it :) !
I have a user migrate lambda which during sign on adds a new user to the user pool using SAML authentication.
The problem I am facing is the user which is added to the pool his username is the email using which he has logged in.
But I want to map the username to some UUID like the sub attribute and don't want the username to be any user's personal data.
I am able to do this with Google sign on but not with Okta SAML. Any suggestions
Please check this article support.okta.com/help/s/article/How-to-configure-a-required-SAML-Username-Attribute-when-Multiple-Okta-Username-Formats-are-being-used?language=en_US.
In your case, try setting the "Application username format" to custom with a expression language of "user.getInternalProperty("id")". Refer to this article for EL developer.okta.com/docs/reference/okta-expression-language/#okta-user-profile
@securityinaction1018 Thanks for the information but the requirement I have this also is not working.
And I am pretty new to AWS still learning.
What I want is my JWT token created through pre-token lambda of cognito to have any Personal information of user.
If my user pool contains username which is the email of the sign in users when ever the token is generated the username attribute will contain the email id.
FYI I also have a google sign on and during that the username is getting mapped to sub attribute
But for SAML and norrmal userid and password login its getting the username equal to the user email in cognito user pool
Any pointers if you have which I can use will be helpful
You can suppress a specific claim in the JWT token using pretoken generation trigger docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html#aws-lambda-triggers-pre-token-generation-example-1. In this example, they are suppressing the email claim by passing attribute name list in "claimsToSuppress". You can try passing all the claim names that you want to remove from the JWT ID token.
@@securityinaction1018 I have tried this but username claim can't be suppressed neither they can be modified
You are right. I was not able to suppress that claim. Looks like it is a reserved attribute as per this document docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html.
How to do the maping of groups from okta to cognito?
You need to make some configuration changes in Okta and pass groups scope from Cognito to Okta. Please refer this document developer.okta.com/docs/guides/customize-tokens-groups-claim/main/
Please like, subscribe & share!! Thanks in advance.
so if implicit is not as secure why you doing tutorial on implicit and not auth flow?
Good question. The main purpose of this video is to demo how to add Okta as a OIDC IdP in AWS Cognito. I have posted two different videos on how to configure Authorization code grant flow using Cognito
Without PKCE : th-cam.com/video/Ox7FuGpQrV8/w-d-xo.html
With PKCE : th-cam.com/video/lWVmJ1CXzMo/w-d-xo.html