AWS Cognito Single Sign-On (SSO) Integration with WordPress OAuth
AWS Cognito Single Sign-On (SSO) for WordPress uses OAuth Authorization flow to provide users secure access to WordPress site. With our WordPress OAuth Single Sign-On (SSO) plugin, AWS Cognito acts as the OpenID Connect and OAuth provider, ensuring secure login for WordPress websites.
The integration of WordPress with AWS Cognito simplifies and secures the login process using AWS Cognito OAuth. This solution allows employees to access their WordPress sites with Single Sign-On (SSO) using their AWS Cognito credentials, completely removing the need to store, remember, and reset multiple passwords.
In addition to offering AWS Cognito SSO functionality, the WordPress SSO plugin extends its support to a various IDPs, including Azure AD, Office 365, and specialized providers, offering robust SSO capabilities like multi-tenant login, role mapping, and user profile attribute mapping. For further insights into the array of features we offer within the WP OAuth & OpenID Connect Client plugin, kindly refer here. You can follow the below steps to setup AWS Cognito Single Sign-On (SSO) with WordPress
WordPress Cognito Integration
WordPress Cognito Integration uses the Cognito SDK and allows users to fill Registration and Password Reset forms or log into the WordPress website directly.
Prerequisites: Download and Installation
- Log into your WordPress instance as an admin.
- Go to the WordPress Dashboard -> Plugins and click on Add New.
- Search for a WordPress OAuth Single Sign-On (SSO) plugin and click on Install Now.
- Once installed click on Activate.
Steps to configure AWS Cognito Single Sign-On (SSO) in WordPress OAuth
1. Setup Amazon Cognito as OAuth Provider
- First of all, go to Amazon Console and sign up/login in your account to Configure AWS Cognito.
- Search for Cognito in the AWS Services search bar as shown below.
- Click on Create a user pool to create a new user pool.
- Choose the attributes in your user pool to be used during the sign-in process
- Set up a strong password to configure your security requirements. Go ahead with the ‘No MFA’ option if you want users to only sign in with a single authentication factor. If you wish to enable MFA (Multi-factor authentication) it will require SMS messages which are charged separately by Amazon SNS. Learn more about that here. Click Next.
- Configure attributes that would be required during the user sign-up flow.
- Choose additional attributes if you wish to. Click Next.
- Configure how your user pool sends email messages to users.
- Enter a name for your user pool, Also Under Hosted authentication pages, check ‘Use the Cognito Hosted UI’.
- Now, Under the Domain section choose the domain type as ‘Use a Cognito domain’. Enter a domain name for your Cognito app.
- Under the Initial app client section, Enter a name for your app client and check on Generate a client secret.
- Now enter your Callback/Redirect URL which you will get from your miniOrange plugin present on your Client side and paste it under the Allowed callback URLs text-field. Also refer the following image for choosing the authentication flows for your app.
- Now, Under Advanced app client settings. Select Identity provider as Cognito user pool & Select Authorization code grant under the OAuth 2.0 grant types and also select openid,email and profile checkboxes under the OpenID Connect scopes section (Please refer to the image below). Click on the Next button to save your configurations.
- Now, Review your selection of requirements. Click Create user pool to confirm the selection and create a user pool.
- After successfully creating your user pool, Select your pool name from the list of pools to start with user creation.
- Go to the Users tab, and click Create user.
- Enter details such as username, email address & password. Click on Create user to save the details.
- After the successful creation of the user, you will need a copy of the Cognito domain, Client ID, and Client Secret. Go to the 'App Integration' section and copy the complete domain name {your domain name}.auth.{region name}.amazoncognito.com. This should be entered into the endpoints field under
in the miniOrange OAuth Single Sign-On (SSO) plugin. - To get the Client ID and Client Secret, stay on the same 'App Integration' tab and scroll down to the 'App clients and analytics' section. Click on your App client name to see the Client ID and Client Secret.
In conclusion, by successfully configuring AWS Cognito as OAuth Provider, you have enabled seamless AWS Cognito Single Sign-On (SSO) and authorization for your end users into WordPress.
2. Setup WordPress as OAuth Client
- Go to Configure OAuth tab and click Add New Application to add a new client application into your website.
- Choose your Application from the list of OAuth / OpenID Connect Providers, Here AWS Cognito
- After selecting the provider copy the Callback URL which needs to be configured in OAuth Provider's SSO application Configuration.
- Enter the Client Credentials like Client ID & Client Secret which you will get from the AWS Cognito SSO application.
- Configure the Cognito App Domain found from the AWS Cognito SSO application. Please refer the below table for configuring the scope & endpoints for Amazon Cognito in the plugin
- Click on Next.
- After verifying all the details on the summary page, click on Finish to save the configuration as well as test the SSO connection.
- After successful test configuration, you will see the user attributes table.
| Scopes | openid |
| Authorize Endpoint: | https://<cognito-app-domain>/oauth2/authorize |
| Access Token Endpoint: | https://<cognito-app-domain>/oauth2/token |
| Get User Info Endpoint: | https://<cognito-app-domain>/oauth2/userInfo |
| Custom redirect URL after logout:[optional] | https://<cognito-app-domain>/logout?client_id=<Client-ID>&logout_uri=<Sign out URL configured in Cognito Portal> |
In conclusion, by successfully configuring WordPress as OAuth Client, you have enabled seamless AWS Cognito Single Sign-On (SSO) and authorization for your end users into WordPress.
3. User Attribute Mapping
- User Attribute Mapping is mandatory for enabling users to successfully Single Sign-On into WordPress using AWS SSO. We will be setting up user profile attributes for WordPress using the below settings.
- Go to Configure OAuth tab. Scroll down and click on Test Configuration.
- You will see all the values returned by your OAuth Provider to WordPress in a table. If you don't see value for First Name, Last Name, Email or Username, make the required settings in your OAuth Provider to return this information.
- Once you see all the values in Test Configuration, go to Attribute / Role Mapping tab, select attributes from Username dropdown and click on Save.
Finding user attributes
4: Role Mapping [Premium]
- Click on “Test Configuration” and you will get the list of Attribute Names and Attribute Values that are sent by your OAuth provider.
- From the Test Configuration window, map the Attribute Names in the Attribute Mapping section of the plugin. Refer to the screenshot for more details.
- Enable Role Mapping: To enable Role Mapping, you need to map Group Name Attribute. Select the attribute name from the list of attributes which returns the roles from your provider application.
Eg: Role - Assign WordPress role to the Provider role: Based on your provider application, you can allocate the WordPress role to your provider roles. It can be a student, teacher, administrator or any other depending on your application. Add the provider roles under Group Attribute Value and assign the required WordPress role in front of it under WordPress Role.
For example, in the below image. Teacher has been assigned the role of Administrator & Student is assigned the role of Subscriber. - Once you save the mapping, the provider role will be assigned the WordPress administrator role after SSO.
Example: As per the given example, Users with role ‘teacher’ will be added as Administrator in WordPress and ‘student’ will be added as Subscriber.
5. Sign In Settings
- The settings in Single Sign-On (SSO) Settings tab define the user experience for Single Sign-On (SSO). To add a AWS Cognito login widget on your WordPress page, you need to follow the below steps.
- Go to WordPress Left Panel > Appearances > Widgets.
- Select miniOrange OAuth. Drag and drop to your favourite location and save.
- Go to WordPress Left Panel > Appearances > Widgets.
- Select miniOrange OAuth. Drag and drop to your favourite location and save.
- Open your WordPress page and you can see the AWS Cognito SSO login button there. You can test the AWS Cognito Single Sign-On (SSO) now.
- Make sure the "Show on login page" option is enabled for your application. (Refer to the below image)
- Now, go to your WordPress Login page. (Eg. https://< your-wordpress-domain >/wp-login.php)
- You will see an AWS Cognito SSO login button there. Once you click the login button, you will be able to test the AWS Cognito Single Sign-On (SSO).
- Understanding Amazon Cognito user pool OAuth 2.0 grants
- AWS Cognito Single Sign-On FAQs
- WordPress Cognito Integration
- WordPress Single Sign-On (SSO) OAuth / OpenID Connect / JWT
- What is AWS Cognito & How to enable AWS Cognito Single Sign-On (SSO)?
- What is OAuth 2.0 and how does it work?
- Frequently Asked Questions (FAQs)
In conclusion, after successfully configuring AWS Cognito as an OAuth Provider and WordPress as an OAuth Client, you've achieved a smooth and secure authentication process for your users. Through AWS Cognito Single Sign-On (SSO), you can ensure a robust user experience within the WordPress environment. This allows users the ease of accessing multiple applications with a single set of login credentials. Through the integration of AWS Cognito OAuth as the primary authentication solution, users can securely log into their WordPress accounts with their existing AWS Cognito credentials.
Following are the WordPress Cognito Integrator use cases that we support
Troubleshooting
invalid_request
To fix this issue, please configure the correct Authorization endpoint in the plugin. You can confirm the correct format of the endpoint from here.
invalid_scope
Please make sure if you have entered correct Scopes in the plugin. You verify steps from this setup guide.
redirect_mismatch
To fix this issue, please configure the correct Redirect url in the Cognito Developer application from the plugin . You can refer to the steps in the setup guide here.
invalid_client
To fix this issue, please configure the correct Client Secret in the plugin. You can refer to this steps to configure correct Client Secret from the setup guide.
If your error is not listed here, click here to see others.
Frequently Asked Questions (FAQs)
I want to disable the signup now option on the cognito page at the time of AWS Cognito SSO?
Go to your user pool in Cognito. Under General Settings, go to Policies. Select the option Only allow administrators to create users and Save Changes. Read more
Authentication flow is not enabled while configuring AWS Cognito as an OAuth provider.
This error has probably occurred because you might not have enabled the following checkboxes ‘username password auth for admin APIs for authentication’ and ‘username password-based authentication’ while configuring the App client in Cognito User Pool. Read more
Additional Resources
Mail us on oauthsupport@xecurify.com for quick guidance(via email/meeting) on your requirement and our team will help you to select the best suitable solution/plan as per your requirement.
Need Help? We are right here!
