Amazon Cognito lets you add user sign-up, sign-in, and access control to your web apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Facebook, Google and enterprise identity providers via SAML 2.0. Login using WordPress Users ( WP as SAML IDP ) plugin gives you the ability to use your WordPress credentials to log into Amazon Cognito. Here we will go through a step-by-step guide to configure SSO between, Amazon Cognito as Service Provider and WordPress as an Identity Provider.
Pre-requisite: Download And Installation
- To integrate the WordPress site as an Identity Provider, you will need to install the miniOrange
Login using WordPress Users ( WP as SAML IDP ) Plugin:
Follow the steps below to configure SSO between Amazon Cognito and WordPress.
Step 1: Configure Amazon Cognito as the Service Provider:
- Open the WordPress site.
- Install and activate the Login using WordPress Users ( WP as SAML IDP )
plugin on your WordPress site
which is acting as Identity Provider. - Go to the WordPress IDP plugin, navigate to the IDP Metadata tab. Here, you can find the Identity
Provider Metadata URL or you can Download the Metadata File. You would need this to configure the Service
provider(Amazon Cognito). - Go to the Amazon Cognito console. You might be prompted for your AWS credentials.
- Click on Manage User Pools.
- Choose an existing user pool from the list, or Create a User Pool.
- For creating new user pool. Enter Pool Name and select Review Defaults.
- On the navigation bar on the left-side of the page, choose App clients under General settings.
- Choose Add an app client and give your app a Name.
- Clear the option Generate client secret for the purposes of this getting started exercise, as it would not be
secure to send it on the URL using client-side JavaScript. - Choose Create app client.
- Note the App client ID and choose Return to pool details.
- Click on the Domain name tab of the Amazon Cognito console and add Domain Prefix.
- On the left navigation bar, choose Identity providers and then choose SAML to open the SAML dialog.
- Under Metadata document upload a metadata document from your SAML IdP. You can also enter a
URL that
points to the metadata document.
Note: Amazon Cognito recommends that you provide the endpoint URL if it is a public endpoint, rather than
uploading a file because this allows Amazon Cognito to refresh the metadata automatically. Typically metadata
refresh happens every 6 hours or before the metadata expires, whichever is earlier.
Enter the values by referring to the table below.Provider Name Enter your SAML Identity Provider name. Identifiers(optional) Enter any optional SAML Identifiers you want to use. Identifiers(optional) Enter any optional SAML Identifiers you want to use. Identifiers(optional) Enter any optional SAML Identifiers you want to use. Enable IdP sign out flow Select Enable IdP sign out flow if you want your user to be logged out from the SAML IdP when logging out from Amazon Cognito. Note: This is a premium feature in the miniOrange Login using WordPress Users ( WP as SAML IDP ) Plugin . - Click on Create provider.
- On the Attribute mapping(OPTIONAL) tab,if you are opting for it then add mappings for at least the required
attributes, typically email.
Note: Attribute Mapping is a premium feature in the Login using WordPress Users ( WP as SAML IDP ) Plugin . - Choose Save changes.
- In the left navigation pane, under App integration, choose App client settings.
- On the app client page, do the following:
Under Enabled Identity Providers, check the Name provided while configuring Identity Provider in the previous
step and Cognito User Pool check boxes.
For Callback URL(s), enter a URL where you want your users to be redirected after they log in. For testing, you
can enter any valid URL, such as https://www.example.com/.
For Sign out URL(s), enter a URL where you want your users to be redirected after they log out. For testing, you
can enter any valid URL, such as https://www.example.com/.
- Choose Save changes.

Instructions:






Add Domain name to your Pool.

Configure SAML Identity Provider in your user pool.


Change App client settings for your user pool.
Step 2: Configure WordPress as the Identity Provider:
- You would need following credentials from Amazon Cognito.
- Entity ID : e.g. urn:amazon:cognito:sp:yourUserPoolID
You can find your yourUserPoolID in the General settings tab in the Amazon Cognito console. - Entity ID : e.g. urn:amazon:cognito:sp:yourUserPoolID
You can find your yourUserPoolID in the General settings tab in the Amazon Cognito console. - ACS URL : e.g. https://yourDomainPrefix.auth.region.amazoncognito.com/saml2/idpresponse
You can find yourDomainPrefix and the region value for your user pool in the Domain name tab in the
Amazon Cognito console. - ACS URL : e.g. https://yourDomainPrefix.auth.region.amazoncognito.com/saml2/idpresponse
You can find yourDomainPrefix and the region value for your user pool in the Domain name tab in the
Amazon Cognito console. - Open the WordPress site.
- Go to the WordPress IDP plugin, navigate to the Service Provider tab.
- Enter the values corresponding to the information from Amazon Cognito. Refer to the table below.
Service Provider Name Name of your Service Provider. SP Entity ID or Issuer Copy and paste the SP-EntityID from Amazon Cognito. ACS URL Copy and paste the ACS URL from Amazon Cognito. NameID Format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress Assertion Signed Checked - Click on the Save button to save your configuration.


Instructions:

Step 3: Configure attributes in the plugin (This is a premium feature):
- In the WordPress IDPplugin, navigate to the Attribute/Role Mapping tab .
- In the User Attributes section, enter the following information and click Save .
- Click on + sign to add attributes.
- In the Custom Attributes section, enter the following information and click Save .
- Make sure to add the following information in the Amazon Cognito under Attribute Mapping tab.
In WordPress:
Name | User Meta Data |
FirstName | first_name |
LastName | last_name |
user_email |
Name | Custom Attribute Value |
Custom | customvalue |

In Amazon Cognito:

Step 4: Testing SSO :
- In the Amazon Cognito console go to Manage User Pool.
- In the left navigation pane, under App integration, choose App client settings.
- In the Configured App Client, click on the Launch Hosted UI.
- Click on the Button below Sign in with your corporate ID
- You would be redirected to the WordPress Login screen. Enter the Credentials and click Log in.



If you don't find what you are looking for, please contact us at info@xecurify.com or call us at +1 978 658 9387.