5

I have the following claim on my AD FS server:

LDAP Attribute:
Token-Groups - Unqualified Names

Outgoing Claim Type: Group

Which returns in my Saml Response the groups that the user is a part of:

    <AttributeStatement>
        <Attribute Name="http://schemas.xmlsoap.org/claims/Group">
            <AttributeValue>Domain Users</AttributeValue>
            <AttributeValue>AWS-Production</AttributeValue>
            <AttributeValue>AWS-Dev</AttributeValue>
        </Attribute>
    </AttributeStatement>

How can I map these groups to custom cognito user pool attributes?

I have tried mapping with the SAML Attribute name of: http://schemas.xmlsoap.org/claims/Group and http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

But the attributes do not map over to Cognito. I have tried mapping my custom to other attributes like email address and have been successful, its just with groups that I have not been able to successfully map over the values.

P.S. Sorry I would have posted photos documenting the process in more detail, but imgur is blocked at my work.

bflynnigan
  • 216
  • 4
  • 15
  • Two important points, 1) make sure the custom attribute is marked as mutable and writable, this may sound counter intuitive but it's a must for mapping to work. 2) if you plan to use that attribute for authorization decisions, you must uncheck 'aws.cognito.signin.user.admin' scope. This prevents users from using their access token from writing to that attribute. – Eran Medan Feb 01 '19 at 16:30
  • 2
    Did you manage to solve this? – Ciryon Apr 23 '19 at 18:50

2 Answers2

0

I had to do a similar setup recently and my mapping worked when I mapped to AD groups to Cognito custom:adgroups user pool attribute.

My SAML response fragment looks like this: 

<Attribute Name="https://aws.amazon.com/SAML/Attributes/Role">
    <AttributeValue>DEV-ODATA</AttributeValue>
    <AttributeValue>DEV-INDEX_PRICES</AttributeValue>
    <AttributeValue>DEV-INDEX_DELAYS</AttributeValue>
    <AttributeValue>DEV-WEBSITE_REPORTING</AttributeValue>
    <AttributeValue>DEV-VALIDATION</AttributeValue>
    <AttributeValue>DEV-ADMIN</AttributeValue>
    <AttributeValue>DEV-GUI</AttributeValue>
    <AttributeValue>DEV-FLOWS</AttributeValue>
    <AttributeValue>DEV-LEGAL</AttributeValue>
    <AttributeValue>DEV-IMG</AttributeValue>
    <AttributeValue>DEV-USER</AttributeValue>
</Attribute>

and the mapping is simply

https://aws.amazon.com/SAML/Attributes/Role  ->   custom:adgroups

But another issue came after, when I had to map these to Cognito groups, which you might want to do as well, to manage application permissions. For details how I found my way around that is here: AWS Cognito - create groups from ADFS

Hope this helps.

tibor
  • 100
  • 11
0

I have just run into this and was hitting my head on a wall for a couple of days. I finally got it working by enabling the read and write permissions for attributes on the user client.

Goto the App clients page, go down to the bottom and you will see a link which states Set attribute read and write permissions. When you click on that a new bit of UI will appear. click both read and write for you custom attribute and the SAML will then have permission to have into there.

Adear
  • 1,885
  • 2
  • 11
  • 18