AWS Cognito

AWS Cognito SSO - Login using WordPress Users (WP as SAML IDP) Plugin enables Single Sign-On (SSO) login into AWS using WordPress Login credentials. In this guide, we will set up SAML Single Sign-On (SSO) with WordPress in AWS Cognito by configuring AWS Cognito as SP (Service Provider) and WordPress as IdP (Identity Provider).

Pre-requisites: Download And Installation

To integrate the WordPress site as an Identity Provider, you will need to install the miniOrange Login using WordPress Users (WP as SAML IDP) plugin:

Guide to set up AWS Cognito SSO Login with WordPress:

1. Configure AWS Cognito as the Service Provider (SP)

• Go to the WordPress IDP plugin, navigate to the IDP Metadata tab.
• Here, you can find here the Identity Provider Metadata URL /XML Metadata or endpoints like IDP Entity ID, SAML Login URL, SAML Logout URL (Premium Feature), Certificate for SP configuration.

 Create a user pool if not created already.

• Go to the Amazon Cognito console. You might be prompted for your AWS credentials.

• Choose an existing user pool from the list, or Create a User Pool.

• For creating new user pool. Enter Pool Name and select Review Defaults.

 Create an App Client in your user pool if not created already.

• On the navigation bar on the left-side of the page, choose App clients under General settings.
• Choose Add an app client and give your app a Name.
• Clear the option Generate client secret for the purposes of this getting started exercise, as it would not be secure to send it on the URL using client-side JavaScript.

• Choose Create app client.
• Note the App client ID and choose Return to pool details.

 Add Domain name to your Pool.

• Click on the Domain name tab of the Amazon Cognito console and add Domain Prefix.

 Configure SAML Identity Provider in your user pool.

• On the left navigation bar, choose Identity providers and then choose SAML to open the SAML dialog.


• Under Metadata document upload a metadata document from your SAML IdP. You can also enter a URL that points to the metadata document.
• Note: Amazon Cognito recommends that you provide the endpoint URL if it is a public endpoint, rather than uploading a file because this allows Amazon Cognito to refresh the metadata automatically. Typically metadata refresh happens every 6 hours or before the metadata expires, whichever is earlier.
• Enter the values by referring to the table below.

Provider Name	Enter your SAML Identity Provider name.
Identifiers (optional)	Enter any optional SAML Identifiers you want to use.
Identifiers (optional)	Enter any optional SAML Identifiers you want to use.
Identifiers (optional)	Enter any optional SAML Identifiers you want to use.
Enable IdP sign out flow	Select Enable IdP sign out flow if you want your user to be logged out from the SAML IdP when logging out from Amazon Cognito. Note: This is a premium feature in the miniOrange Login using WordPress Users (WP as SAML IDP) Plugin .


• Click on Create provider.
• On the Attribute mapping (OPTIONAL) tab,if you are opting for it then add mappings for at least the required attributes, typically email.

Note: Attribute Mapping is a premium feature in the Login using WordPress Users ( WP as SAML IDP ) Plugin .

• Choose Save changes.

 Change App client settings for your user pool.

• In the left navigation pane, under App integration, choose App client settings.
• On the app client page, do the following : Under Enabled Identity Providers, check the Name provided while configuring Identity Provider in the previous step and Cognito User Pool check boxes. For Callback URL(s), enter a URL where you want your users to be redirected after they log in. For testing, you can enter any valid URL, such as https://www.example.com/. For Sign out URL(s), enter a URL where you want your users to be redirected after they log out. For testing, you can enter any valid URL, such as https://www.example.com/.

• Choose Save changes.

You have successfully configured AWS Cognito as Service Provider.

2. Configure WordPress (WP) as IdP (Identity Provider)

• You would need following credentials from Amazon Cognito.

Entity ID	e.g. urn:amazon:cognito:sp:yourUserPoolID You can find your yourUserPoolID in the General settings tab in the Amazon Cognito console.
Entity ID	e.g. urn:amazon:cognito:sp:yourUserPoolID

• You can find your yourUserPoolID in the General settings tab in the Amazon Cognito console.


ACS URL

e.g. https://yourDomainPrefix.auth.region.amazoncognito.com/saml2/idpresponse. You can find yourDomainPrefix and the region value for your user pool in the Domain name tab in the Amazon Cognito console.

 Instructions:

• Open the WordPress site.
• Go to the WordPress IDP plugin, navigate to the Service Provider tab.
• Enter the values corresponding to the information from Amazon Cognito. Refer to the table below.

Service Provider Name	Name of your Service Provider.
SP Entity ID or Issuer	Copy and paste the SP-EntityID from Amazon Cognito.
ACS URL	Copy and paste the ACS URL from Amazon Cognito.
NameID Format	urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Assertion Signed	Checked


• Click on the Save button to save your configuration.

3. Attribute Mapping (This is a premium feature)

 In WordPress:

• In the WordPress IDP plugin, navigate to the Attribute/Role Mapping tab.
• In the User Attributes section, enter the following information and click on Save .
• You can also add more attributes by clicking on + sign to add attributes.

Name	User Meta Data
FirstName	first_name
LastName	last_name
Email	user_email

• In the Custom Attributes section, enter the following information and click Save .

Name	Custom Attribute Value
Custom	customvalue

 In Amazon Cognito:

• Make sure to add the following information in the Amazon Cognito under Attribute Mapping tab.

4. Testing SSO

• In the Amazon Cognito console go to Manage User Pool.
• In the left navigation pane, under App integration, choose App client settings.
• In the Configured App Client, click on the Launch Hosted UI.

• Click on the Button below Sign in with your corporate ID

• You would be redirected to the WordPress Login screen. Enter the Credentials and click Log in.

• If you were able to redirect to the selected Callback URL, then your configuration is correct.

In this Guide, you have successfully integrated AWS Cognito SAML Single Sign-On (SSO) with the plugin - Login using WordPress Users ( WP as SAML IDP ). Configuring AWS Cognito as SP and WordPress as IDP. This solution ensures that you are ready to roll out secure Single Sign-On (SSO) access with SAML 2.0 Authentication into AWS Cognito SSO using WordPress login credentials.

Additional Resources