Drupal can be set as a centralized identity provider or an authentication source for the users across other applications via Single Sign-On (SSO). This document will walk you through the steps of integrating Drupal as SAML 2.0 IdP and AWS Cognito as Service Provider (SP) using the miniOrange SAML IDP module. This will allow you to manage users and their permissions in a place and at the same time the users can access multiple applications with single credentials. The module is compatible with Drupal 7, Drupal 8, Drupal 9, and Drupal 10.

Download Drupal SAML IdP Metadata:

• Once the module is installed, navigate to the Configuration tab from the top navigation bar and click on the miniOrange SAML IDP Configuration.

• In the IDP Metadata tab, click on the Download Metadata button to download the IdP metadata. Keep it handy. (This is used later to setup SAML interaction with Service Provider)

Configure AWS Cognito as Service Provider:

• Login to the AWS console.
• Under the search bar search for Cognito and click on it.

• Click on the Create user pool button.

• In Configure sign-in experience select the following configurations :
  • Enable the checkbox Federated identity providers.
  • From the Cognito user pool sign-in options enable the checkbox of the attributes using which the users should be allowed to login.
  • Choose SAML under the Federated Sign-in options.

• Click on the Next button.
• In Configure security requirements, choose password policy mode, Multi-factor authentication (MFA) requirements, user account recovery options click on the Next button.

• Select the suitable options from the Configure sign-up experience as per the requirements and click on the Next button.

• Choose Send email with Cognito as the Email Provider and click Next.

• Enter the User pool name. Select Other from Initial app client. Enter the App client name and then click on the Next button.

• Verify the required information, scroll down and click on the Create user pool button.
• Now search for the created user pool and click on it.

• Navigate to the Sign-in experience tab.

• Click on Add identity provider button.

• Select SAML.

• Enter the Provider name and upload the IdP metadata file that you downloaded from Drupal site in step 2.

• Enter the SAML attribute in which the email of the user is received and click on the Add identity provider button.

• Navigate to the App integration section.

• Under the Actions dropdown click on Create Cognito domain.

• Enter the Cognito domain name as per your choice and click on Create Cognito domain button.

Configuring Drupal as Identity Provider:

• Navigate to the Drupal site and switch to the Service Provider Setup tab of the module. Enter the Application name under the Service Provider Name text field. For example, AWS.
• Enter the ACS URL. The ACS URL under Service Provider Setup tab in this format:

  https://Your user pool domain/saml2/idpresponse


• In AWS Cognito -> User pools -> Application name (which you have created on AWS) -> under User pool overview and then get your User pool ID. Keep it handy. Usually, the Entity Id is in the format:

  urn:amazon:cognito:sp:<yourUserPoolID>


• In Drupal's Service Provider Setup tab, paste the previously copied Entity Id into the SP Entity ID or Issuer text field.

• Scroll down and click on the Save Configuration button.

You have successfully configured the SAML SSO between AWS Cognito as SAML SP and Drupal as SAML IDP.

Note: The AWS Cognito does not support IDP initiated SSO. To test the connection you can perform SSO from AWS application.