Amazon Cognito Single Sign On (SSO) with WordPress as IDP | Login into Amazon Cognito using WordPress

Amazon Cognito lets you add user sign-up, sign-in, and access control to your web apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Facebook, Google and enterprise identity providers via SAML 2.0. Login using WordPress Users ( WP as SAML IDP ) plugin gives you the ability to use your WordPress credentials to log into Amazon Cognito. Here we will go through a step-by-step guide to configure SSO between, Amazon Cognito as Service Provider and WordPress as an Identity Provider.


miniorange img Pre-requisite: Download And Installation


  • To integrate the WordPress site as an Identity Provider, you will need to install the miniOrange
    Login using WordPress Users ( WP as SAML IDP ) Plugin:

Follow the steps below to configure SSO between Amazon Cognito and WordPress.

Step 1: Configure Amazon Cognito as the Service Provider:

  • Open the WordPress site.
  • Install and activate the Login using WordPress Users ( WP as SAML IDP ) plugin on your WordPress site
    which is acting as Identity Provider.
  • Go to the WordPress IDP plugin, navigate to the IDP Metadata tab. Here, you can find the Identity
    Provider Metadata URL or you can Download the Metadata File. You would need this to configure the Service
    provider(Amazon Cognito).

  • wordpress saml upload metadata aws cognito as sp

    miniorange img Instructions:

    Create a user pool if not created already.

  • Go to the Amazon Cognito console. You might be prompted for your AWS credentials.

  • aws credentials for cognito as sp
  • Click on Manage User Pools.

  • manage user pools aws cognito as sp
  • Choose an existing user pool from the list, or Create a User Pool.

  • create user pool aws cognito as sp
  • For creating new user pool. Enter Pool Name and select Review Defaults.

  • enter pool name aws cognito as sp Create an App Client in your user pool if not created already.

  • On the navigation bar on the left-side of the page, choose App clients under General settings.
  • Choose Add an app client and give your app a Name.
  • Clear the option Generate client secret for the purposes of this getting started exercise, as it would not be
    secure to send it on the URL using client-side JavaScript.

  • general settings aws cognito as sp
  • Choose Create app client.
  • Note the App client ID and choose Return to pool details.

  • app clients aws cognito as sp
    Add Domain name to your Pool.

  • Click on the Domain name tab of the Amazon Cognito console and add Domain Prefix.

  • add domain name aws cognito as sp
    Configure SAML Identity Provider in your user pool.

  • On the left navigation bar, choose Identity providers and then choose SAML to open the SAML dialog.

  • select saml idp aws cognito as sp
  • Under Metadata document upload a metadata document from your SAML IdP. You can also enter a URL that
    points to the metadata document.

    Note: Amazon Cognito recommends that you provide the endpoint URL if it is a public endpoint, rather than
    uploading a file because this allows Amazon Cognito to refresh the metadata automatically. Typically metadata
    refresh happens every 6 hours or before the metadata expires, whichever is earlier.

    Enter the values by referring to the table below.
    Provider Name Enter your SAML Identity Provider name.
    Identifiers(optional) Enter any optional SAML Identifiers you want to use.
    Identifiers(optional) Enter any optional SAML Identifiers you want to use.
    Identifiers(optional) Enter any optional SAML Identifiers you want to use.
    Enable IdP sign out flow Select Enable IdP sign out flow if you want your user to be logged out from the SAML IdP when logging out from Amazon Cognito. Note: This is a premium feature in the miniOrange Login using WordPress Users ( WP as SAML IDP ) Plugin .

  • metadata document aws cognito as sp
  • Click on Create provider.
  • On the Attribute mapping(OPTIONAL) tab,if you are opting for it then add mappings for at least the required
    attributes, typically email.
    Note: Attribute Mapping is a premium feature in the Login using WordPress Users ( WP as SAML IDP ) Plugin .
  • Choose Save changes.

  • Change App client settings for your user pool.

  • In the left navigation pane, under App integration, choose App client settings.
  • On the app client page, do the following:
    Under Enabled Identity Providers, check the Name provided while configuring Identity Provider in the previous
    step and Cognito User Pool check boxes.

    For Callback URL(s), enter a URL where you want your users to be redirected after they log in. For testing, you
    can enter any valid URL, such as https://www.example.com/.

    For Sign out URL(s), enter a URL where you want your users to be redirected after they log out. For testing, you
    can enter any valid URL, such as https://www.example.com/.

    save app client info aws cognito as sp
  • Choose Save changes.

Step 2: Configure WordPress as the Identity Provider:

  • You would need following credentials from Amazon Cognito.
    • Entity ID : e.g. urn:amazon:cognito:sp:yourUserPoolID

      You can find your yourUserPoolID in the General settings tab in the Amazon Cognito console.
    • Entity ID : e.g. urn:amazon:cognito:sp:yourUserPoolID

      You can find your yourUserPoolID in the General settings tab in the Amazon Cognito console.

    • pool id aws cognito as sp
    • ACS URL : e.g. https://yourDomainPrefix.auth.region.amazoncognito.com/saml2/idpresponse

      You can find yourDomainPrefix and the region value for your user pool in the Domain name tab in the
      Amazon Cognito console.
    • ACS URL : e.g. https://yourDomainPrefix.auth.region.amazoncognito.com/saml2/idpresponse

      You can find yourDomainPrefix and the region value for your user pool in the Domain name tab in the
      Amazon Cognito console.

    • domain name aws cognito as sp

    miniorange img Instructions:

  • Open the WordPress site.
  • Go to the WordPress IDP plugin, navigate to the Service Provider tab.
  • Enter the values corresponding to the information from Amazon Cognito. Refer to the table below.

    Service Provider Name Name of your Service Provider.
    SP Entity ID or Issuer Copy and paste the SP-EntityID from Amazon Cognito.
    ACS URL Copy and paste the ACS URL from Amazon Cognito.
    NameID Format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    Assertion Signed Checked
  • enter sp info aws cognito as sp
  • Click on the Save button to save your configuration.

Step 3: Configure attributes in the plugin (This is a premium feature):

    In WordPress:
  • In the WordPress IDPplugin, navigate to the Attribute/Role Mapping tab .
  • In the User Attributes section, enter the following information and click Save .
  • Click on + sign to add attributes.
  • Name User Meta Data
    FirstName first_name
    LastName last_name
    Email user_email
  • In the Custom Attributes section, enter the following information and click Save .
  • Name Custom Attribute Value
    Custom customvalue
    cognito user mapping aws cognito as sp
    In Amazon Cognito:
  • Make sure to add the following information in the Amazon Cognito under Attribute Mapping tab.

  • cognito user mapping aws cognito as sp

Step 4: Testing SSO :

  • In the Amazon Cognito console go to Manage User Pool.
  • In the left navigation pane, under App integration, choose App client settings.
  • In the Configured App Client, click on the Launch Hosted UI.

  • launch hosted ui aws cognito as sp
  • Click on the Button below Sign in with your corporate ID

  • sign in from corporate id aws cognito as sp
  • You would be redirected to the WordPress Login screen. Enter the Credentials and click Log in.

  • wordpress login aws cognito as sp
If you were able to redirect to the selected Callback URL, then your configuration is correct.

Business Trial For Free

If you don't find what you are looking for, please contact us at info@xecurify.com or call us at +1 978 658 9387.

Hello there!

Need Help? We are right here!

support
Contact miniOrange Support
success

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com