AWS Cognito - OIDC - Configuration

Create AWS Cognito User Pool

1. Access the AWS Management Console and navigate to the Cognito service.

2. Select Manage User Pools.

3. In the User Pools section, click the Create a User Pool button. You'll be prompted to name your new pool.

4. After naming your pool, select Step through settings. This section lets you define sign-in parameters for your users.

5. Select the attributes shown in the screenshot below. These attributes determine the information you'll collect from users during registration.

   
6. After setting the required attributes, click Next Step to save your configurations.

Setting Up Policies

1. Select the settings to match your security requirements.

2. Click Next Step.

   

MFA and Verification Configuration

1. Select Multi-Factor Authentication and verification settings based on your security needs.

2. Click Next Step to save your configurations.

   

Message Customizations

1. Edit the verification messages to meet your needs.

2. Click Next Step to save your configurations.

   

App Clients Configuration

1. Skip the Tags and Devices steps.

2. Configure the App Clients.

3. Click Add an app client.

4. Edit the settings to match the screenshot below.

5. Click Next Step to save your configurations.

   

Finalize the User Pool

1. On the Review step, verify all configurations are correct.

2. If everything is correct, click Create Pool to finalize the user pool creation.

Set the Domain Name

The next step is to create a Domain Name for the User Pool you created.

1. Navigate to the Domain Name tab.

2. Enter your desired Domain Prefix.

3. Click Check Availability.

4. If the domain is available, click Save Changes.

   

Configure App Client Settings

1. Navigate to App client settings and update them to match the configurations shown in the screenshot below.

   
2. In the CallBack URL(s) field, add the URL of your region for each Flosum Cloud App you want to use with SSO. See the table below for the URLs for your region.

1. In the Sign-out URL(s) field, add the URL of your region for each Flosum Cloud App you want to use with SSO. See the table below for the URLs for your region.

Retrieve the ISSUER_BASE_URL

1. Navigate to Manage User Pools within AWS Cognito.

2. Select the User Pool you created, and then access General Settings.

3. Note the ISSUER_BASE_URL, which follows the format: https://cognito-idp.<region>.amazonaws.com/<userPoolId>.

   

Retrieve ISSUER_CLIENT_ID and ISSUER_CLIENT_SECRET

1. Navigate to Manage User Pools within AWS Cognito.

2. Select the User Pool you created, and then click on App Clients.

3. Note the ISSUER_CLIENT_ID, found under App client id.

4. Note the ISSUER_CLIENT_SECRET, found under App client secret.

Set Redirect URL

1. In the Redirect URL field, add the URL of your region for each Flosum Cloud App you want to use with SSO. See the table below for the URLs for your region.

Create Identity Provider

Follow the general instructions in the article below to get started creating an OIDC Identity Provider.

1. Adding an Identity Provider (SSO)

2. Complete the Basic information section.

   1. Select OPEN_ID for the identity provider Type.

3. Complete the Button information section.

4. (Optional) Complete the Group information section.

Complete OpenId Information Fields

Copy the information from your AWS Cognito application into the OpenId Information section. The table explains which AWS Cognito values to enter into which Flosum Fields. The final screenshot shows a completed identity provider for an AWS Cognito ODIC application.

The values in the AWS Cognito Value column are a combination of values from your AWS Cognito app. Retrieving these values is explained in the sections above.

Save and Test

1. Click Save to save the identity provider.

2. To test, open an incognito window.

3. Start logging in to Global Settings with your tenant name.

4. If the identity provider was configured successfully, you should see the SSO button you created.