AWS Cognito SAML Single Sign-On (SSO) Integration with Drupal as IdP

Overview

This guide will help you integrate Drupal as a SAML 2.0 Identity Provider (IdP) and AWS Cognito as a Service Provider (SP) using the miniOrange SAML IDP module. This integration enables centralized user management and permission control, allowing users to access multiple applications with a single set of credentials. The module is compatible with Drupal 7, Drupal 8, Drupal 9, Drupal 10, and Drupal 11.

Download Schedule a Meeting

Installation Steps

Configuration Steps

Drupal SAML IdP Metadata:

• After installing the module on your Drupal site, in the Administration menu → navigate to Configuration → People → miniOrange SAML IDP Configuration. (/admin/config/people/miniorange_saml_idp/idp_setup)

• Under the IDP Metadata tab, click on the Download Metadata button. Open it on the notepad and copy the IdP information. Keep it handy. (This information is required to configure AWS as SAML SP.)

Configure AWS Cognito as Service Provider:

• Login to the AWS console.
• Under the search bar search for Cognito and click on it.

• Click on the Create user pool button.

• In Configure sign-in experience select the following configurations :
• Enable the checkbox Federated identity providers.
• From the Cognito user pool sign-in options enable the checkbox of the attributes using which the users should be allowed to login.
• Choose SAML under the Federated Sign-in options.

• Click on the Next button.
• In Configure security requirements, choose password policy mode, Multi-factor authentication (MFA) requirements, user account recovery options click on the Next button.

• Select the suitable options from the Configure sign-up experience as per the requirements and click on the Next button.

• Choose Send email with Cognito as the Email Provider and click Next.

• Enter the User pool name. Select Other from Initial app client. Enter the App client name and then click on the Next button.

• Verify the required information, scroll down and click on the Create user pool button.
• Now search for the created user pool and click on it.

• Navigate to the Sign-in experience tab.

• Click on Add identity provider button.

• Select SAML.

• Enter the Provider name and upload the IdP metadata file that you downloaded from Drupal site.

• Enter the SAML attribute in which the email of the user is received and click on the Add identity provider button.

• Navigate to the App integration section.

• Under the Actions dropdown click on Create Cognito domain.

• Enter the Cognito domain name as per your choice and click on Create Cognito domain button.

Configuring Drupal as SAML Identity Provider (IdP):

• Navigate to the Drupal site and switch to the Service Provider Setup tab of the module. Enter the Application name under the Service Provider Name text field. For example, AWS.
• Enter the ACS URL. The ACS URL under Service Provider Setup tab in this format:

  https://Your user pool domain/saml2/idpresponse

• In AWS Cognito -> User pools -> Application name (which you have created on AWS) -> under User pool overview and then get your User pool ID. Keep it handy. Usually, the Entity Id is in the format:

  urn:amazon:cognito:sp:<yourUserPoolID>

• In Drupal's Service Provider Setup tab, paste the previously copied Entity Id into the SP Entity ID or Issuer text field.

• Scroll down and click on the Save Configuration button.

You have successfully configured the SAML SSO between AWS Cognito as SAML SP and Drupal as SAML IDP.