AWS Cognito SAML Single Sign-On (SSO) | AWS SSO Login with WordPress
AWS Cognito SAML Single Sign-On (SSO) | AWS SSO Login with WordPress
AWS Cognito
AWS Cognito SSO - Login using WordPress Users (WP as SAML IDP) Plugin enables Single Sign-On (SSO) login into AWS using WordPress Login credentials. In this guide, we will set up SAML Single Sign-On (SSO) with WordPress in AWS Cognito by configuring AWS Cognito as SP (Service Provider) and WordPress as IdP (Identity Provider).
Pre-requisites: Download And Installation
To integrate the WordPress site as an Identity Provider, you will need to install the miniOrange Login using WordPress Users (WP as SAML IDP) plugin:
By miniOrange
Single Sign-On (SSO) login with WordPress Users into any Service Provider like Tableau, Zoho, Zoom, Moodle, Canvas LMS, Absorb LMS, TalentLMS, etc.
Guide to set up AWS Cognito SSO Login with WordPress:
1. Configure AWS Cognito as the Service Provider (SP)
- Go to the WordPress IDP plugin, navigate to the IDP Metadata tab.
- Here, you can find here the Identity Provider Metadata URL /XML Metadata or endpoints like IDP Entity ID, SAML Login URL, SAML Logout URL (Premium Feature), Certificate for SP configuration.
Create a user pool if not created already.
- Go to the Amazon Cognito console. You might be prompted for your AWS credentials.
- Choose an existing user pool from the list, or Create a User Pool.
- For creating new user pool. Enter Pool Name and select Review Defaults.
Create an App Client in your user pool if not created already.
- On the navigation bar on the left-side of the page, choose App clients under General settings.
- Choose Add an app client and give your app a Name.
- Clear the option Generate client secret for the purposes of this getting started exercise, as it would not be secure to send it on the URL using client-side JavaScript.
- Choose Create app client.
- Note the App client ID and choose Return to pool details.
Add Domain name to your Pool.
- Click on the Domain name tab of the Amazon Cognito console and add Domain Prefix.
Configure SAML Identity Provider in your user pool.
- On the left navigation bar, choose Identity providers and then choose SAML to open the SAML dialog.
- Under Metadata document upload a metadata document from your SAML IdP. You can also enter a URL that points to the metadata document.
- Note: Amazon Cognito recommends that you provide the endpoint URL if it is a public endpoint, rather than uploading a file because this allows Amazon Cognito to refresh the metadata automatically. Typically metadata refresh happens every 6 hours or before the metadata expires, whichever is earlier.
- Enter the values by referring to the table below.
- Click on Create provider.
- On the Attribute mapping (OPTIONAL) tab,if you are opting for it then add mappings for at least the required attributes, typically email.
- Choose Save changes.
| Provider Name | Enter your SAML Identity Provider name. |
| Identifiers (optional) | Enter any optional SAML Identifiers you want to use. | Identifiers (optional) | Enter any optional SAML Identifiers you want to use. |
| Identifiers (optional) | Enter any optional SAML Identifiers you want to use. |
| Enable IdP sign out flow |
Select Enable IdP sign out flow if you want your user to be logged out from the SAML IdP when
logging out from Amazon Cognito. Note: This is a premium feature in the miniOrange Login using WordPress Users (WP as SAML IDP) Plugin . |
Note: Attribute Mapping is a premium feature in the Login using WordPress Users ( WP as SAML IDP ) Plugin .
Change App client settings for your user pool.
- In the left navigation pane, under App integration, choose App client settings.
- On the app client page, do the following : Under Enabled Identity Providers, check the Name provided while configuring Identity Provider in the previous step and Cognito User Pool check boxes. For Callback URL(s), enter a URL where you want your users to be redirected after they log in. For testing, you can enter any valid URL, such as https://www.example.com/. For Sign out URL(s), enter a URL where you want your users to be redirected after they log out. For testing, you can enter any valid URL, such as https://www.example.com/.
- Choose Save changes.
You have successfully configured AWS Cognito as Service Provider.
2. Configure WordPress (WP) as IdP (Identity Provider)
- You would need following credentials from Amazon Cognito.
- You can find your yourUserPoolID in the General settings tab in the Amazon Cognito console.
| Entity ID | e.g. urn:amazon:cognito:sp:yourUserPoolID You can find your yourUserPoolID in the General settings tab in the Amazon Cognito console. |
| Entity ID | e.g. urn:amazon:cognito:sp:yourUserPoolID |
| ACS URL | e.g. https://yourDomainPrefix.auth.region.amazoncognito.com/saml2/idpresponse. You can find yourDomainPrefix and the region value for your user pool in the Domain name tab in the Amazon Cognito console. |
Instructions:
- Open the WordPress site.
- Go to the WordPress IDP plugin, navigate to the Service Provider tab.
- Enter the values corresponding to the information from Amazon Cognito. Refer to the table below.
- Click on the Save button to save your configuration.
| Service Provider Name | Name of your Service Provider. |
| SP Entity ID or Issuer | Copy and paste the SP-EntityID from Amazon Cognito. |
| ACS URL | Copy and paste the ACS URL from Amazon Cognito. |
| NameID Format | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
| Assertion Signed | Checked |
3. Attribute Mapping (This is a premium feature)
In WordPress:
- In the WordPress IDP plugin, navigate to the Attribute/Role Mapping tab.
- In the User Attributes section, enter the following information and click on Save .
- You can also add more attributes by clicking on + sign to add attributes.
- In the Custom Attributes section, enter the following information and click Save .
| Name | User Meta Data |
| FirstName | first_name |
| LastName | last_name |
| user_email |
| Name | Custom Attribute Value |
| Custom | customvalue |
In Amazon Cognito:
- Make sure to add the following information in the Amazon Cognito under Attribute Mapping tab.
4. Testing SSO
- In the Amazon Cognito console go to Manage User Pool.
- In the left navigation pane, under App integration, choose App client settings.
- In the Configured App Client, click on the Launch Hosted UI.
- Click on the Button below Sign in with your corporate ID
- You would be redirected to the WordPress Login screen. Enter the Credentials and click Log in.
- If you were able to redirect to the selected Callback URL, then your configuration is correct.
In this Guide, you have successfully integrated AWS Cognito SAML Single Sign-On (SSO) with the plugin - Login using WordPress Users ( WP as SAML IDP ). Configuring AWS Cognito as SP and WordPress as IDP. This solution ensures that you are ready to roll out secure Single Sign-On (SSO) access with SAML 2.0 Authentication into AWS Cognito SSO using WordPress login credentials.
Additional Resources
Why Our Customers choose miniOrange WordPress Single Sign-On (SSO) Solutions?
24/7 Support
miniOrange provides 24/7 support for all the Secure Identity Solutions. We ensure high quality support to meet your satisfaction.
Sign UpExtensive Setup Guides
Easy and precise step-by-step instructions and videos to help you configure within minutes.
Watch DemoWe offer Secure Identity Solutions for Single Sign-On, Two Factor Authentication, Adaptive MFA, Provisioning, and much more. Please contact us at
+1 978 658 9387 (US) | +91 97178 45846 (India) samlsupport@xecurify.com
Need Help? We are right here!
