Skip to content

Microsoft ADFS With AWS Cognito - CloudFront

Secure a static AWS CloudFront page with AWS Cognito and Microsoft ADFS.

Resources

Deploy a demo page.

  1. Open the Auth@Edge demo from AWS Serverless Application Repository
  2. Add a valid e-mail address to the Cognito user pool. This user can be used to test the deployment.
  3. Check "I acknowledge that this app creates custom IAM roles and resource policies." and click deploy

Login to demo page.

  1. Check your e-mail for the temporary password. sender: no-reply@verificationemail.com
  2. Navigate to AWS -> CloudFormation -> serverlessrepo-cloudfront-auth-edge
  3. Navigate to Outputs-tab and scroll down to WebsiteUrl. This is the CloudFront URL that is protected with Cognito.
  4. Login with your e-mail address and the password you got in the e-mail.
  5. You will be logged in to a page with a "Private" heading, some description of what's happening, and information about the page.
  6. Press the Sign-out button to get to the login screen again.

Configure Cognito for ADFS

  1. Navigate to AWS Cognito and click Manage User Pools
  2. Click the user pool previously deployed from the application repository. In my case 'serverlessrepo-cloudfront-auth-edge'.
  3. In the left menu. Click Identity providers located under Federation.
  4. Click SAML
  5. Add your ADFS Server metadata URL https://sts.my-domain.com/FederationMetadata/2007-06/FederationMetadata.xml
  6. Check the 'Enable IdP sign out flow' to enable ADFS Sign out.
  7. Click Create Provider configure-cognito-for-adfs-1
  8. In the left menu. Click Attribute mapping located under Federation.
  9. Under SAML tab, select 'My-Domain-ADFS-Server' in the dropdown menu.
  10. Click Add SAML attribute
  11. Configure SAML Attribute http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress for User pool attribute Email.
  12. Click Save Changes
  13. In the left menu. Click App Client Settings located under App integration.
  14. Deselect Cognito User Pool and select 'My-Domain-ADFS-Server'
  15. Click Save Changes

Get AWS attributes for ADFS configuration

  1. In the left menu. Click General settings.
  2. Note the Pool Id and add it after urn:amazon:cognito:sp: This will be the Relying Party Identifier in the ADFS server. urn:amazon:cognito:sp:us-east-1_G5zi7fNtT
  3. In the left menu. Click Domain name located under App integration.
  4. Note the Amazon Cognito domain. This will be used as Saml Assertion Consumer Endpoint in ADFS. https://auth-0d591cb0-0fd4-11ec-9360-0eadc6b18409.auth.us-east-1.amazoncognito.com/saml2/idpresponse The last part is documented here
  5. Now change to CloudFront Service under services or the search bar.
  6. Copy the CloudFront Domain Name. d1md7y7z21n5ag.cloudfront.net or Alternative domain name if you have added one.

Configure Relying party trust in Microsoft ADFS for Cognito Part 1

  1. RDP to your ADFS Server.
  2. Open 'AD FS Management' Desktop App
  3. Click 'Add Relying Party Trust...' under Actions Menu
  4. Select Claims aware -> Start
  5. Select 'Enter data about the relying party manually' -> Next
  6. Display Name: AWS-Cognito -> Next
  7. Configure Certificate. Just press Next here
  8. Configure URL. Just press Next here
  9. Relying party trust identifier we got previously from cognito Pool ID + urn. urn:amazon:cognito:sp:us-east-1_G5zi7fNtT
  10. Choose Access control policy - Select Permit everyone here or MFA if you have configured MFA.
  11. Press Next and Close to finish this configuration.

Configure Relying party trust in Microsoft ADFS for Cognito Part 2

  1. RDP to your ADFS Server.
  2. Open 'AD FS Management' Desktop App
  3. Navigate to AD FS -> Relying Party Trusts.
  4. Right-click AWS-Cognito -> Edit Claim Issuance Policy...
  5. Click Add Rule
  6. Claim rule template: Send LDAP Attribute as Claims
  7. Claim Rule name: Email-rule
  8. Attribute store: Active Directory
  9. Mapping of LDAP attribute 1: E-Mail-Addresses -> E-Mail Address
  10. Mapping of LDAP attribute 2: E-Mail-Addresses -> Name ID
  11. Finish
  12. Press OK to close this window.
  1. Right-click AWS-Cognito relying party and select properties.
  2. Select Endpoints Tab.
  3. Click Add SAML...
  4. Endpoint type: SAML Assertion Consumer
  5. Binding: POST
  6. Trusted URL: https://auth-0d591cb0-0fd4-11ec-9360-0eadc6b18409.auth.us-east-1.amazoncognito.com/saml2/idpresponse
    • Note: This is the Cognito Domain followed by saml2/idpresponse.
  7. Click OK
  1. Click Add SAML...
  2. Endpoint type: SAML Logout
  3. Binding: Redirect
  4. Trusted URL: https://sts.my-domain.com/adfs/ls/?wa=wsignout1.0 TechNet - LINK
  5. Response URL: https://d1md7y7z21n5ag.cloudfront.net This is the protected website url
  6. Click OK

Test configuration

  1. Open your AWS CloudFront URL in a browser. https://d1md7y7z21n5ag.cloudfront.net
  2. Login will now work with ADFS.
  3. Logout will not work correctly. Following error message will be displayed Error details: MSIS7054: The SAML logout did not complete properly.

Fix ADFS Sign Out

  1. To fix ADFS sign out. The Cognito SAML Certificate is required.
  2. Get the certificate with CLI aws cognito-idp get-signing-certificate --user-pool us-east-1_G5zi7fNtT > cognito.crt
  3. Alternatively, the certificate is also visible in Cognito Dashboard. Go to Federation > Identity Providers > SAML > Active SAML Providers and click on show signing certificate. Copy / paste the contents into a file cognito.cer
  4. Copy the cognito.cer to the ADFS server.
  5. Open 'AD FS Management' Desktop App
  6. Right-click AWS-Cognito relying party and select properties.
  7. Open the Signature tab.
  8. Click Add..
  9. Select the cognito.cer file
  10. Click Open and OK.
  11. Sign in again on the cloud front page. Or sign out.