10

An app is communicating via the Open ID Connect protocol with AWS Cognito, which is connected to ADFS, communicating via SAML. Cognito is essentially "proxying" the ADFS server.

ADFS holds a group mapping that the app requires, and I would like to import these groups into Cognito as actual Cognito Group - which will then be read by the app from the cognito:groups from the ID-token Cognito provides.

In the AWS Cognito User Pool setup, I don't see a way to map ADFS groups to Cognito Groups - must I absolutely rely on a custom attribute for my User Pool that I can map to the ADFS-property, or am I missing some piece of configuration that allows Cognito to create new groups on the fly and automatically assign the users to the groups in Cognito?

edit: To clarify, Is it possible to setup Cognito to add/create groups (not as a custom property, but a actual manageable cognito groups) when it imports users?

Tobias Roland
  • 1,182
  • 1
  • 13
  • 35
  • This might help you https://stackoverflow.com/a/50373090/5543072 – Sagar P. Ghagare Mar 19 '19 at 11:58
  • 1
    @Sagar ADFS, Cognito and the app are talking together already - my knowledge gap is whether groups from ADFS can be configured to become Cognito Groups, or if I must rely on a custom property on the Cognito user to hold a list of group names – Tobias Roland Mar 19 '19 at 17:05

3 Answers3

3

I had the same issue, and I have not found a static mapping option in Cognito either.

The only way I see is to map the AD groups to custom:adgroups attribute in Cognito, and set up a Cognito "Pre Token Generation" lambda trigger. The lambda reads the value of the custom:adgroups and manually overrides the user's Cognito groups.

NB - this does not change the cognito user's group permanently, only for the current session, but from the application perspective that's exactly what I needed.

Please see a dummy static (non conditional) ADMIN group assignment example here:

def lambda_handler(event, context):
print(f'incoming event: {json.dumps(event)}')

# manual cognito group override
if event['triggerSource'] == "TokenGeneration_HostedAuth":
    event['response'] = {
            "claimsOverrideDetails": {
                "groupOverrideDetails": {
                    "groupsToOverride": [
                        "ADMIN"
                    ]
                }
            }
        }

return event

More detailed documentation here: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html

tibor
  • 100
  • 11
  • Alternative solution could be to ditch the Cognito groups altogether and use IAM roles to manage application roles/permissions, as written here: https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/ – tibor Dec 10 '19 at 16:20
0

Could you use the Post authentication Lambda trigger to update the user's group in the Cognito User Pool based off the group in AD? You could use the APIs: AdminAddUserToGroup and AdminRemoveUserFromGroup. The only issue with this approach is that if you change the user's group in AD, it won't be updated in Cognito until the user authenticates to Cognito again.

Ben Stickley
  • 1,551
  • 1
  • 16
  • 22
-1

How to setup ADFS with Cognito is documented in this link. The section answering your question is the mapping in step 4, item 5. I'm copying the relevant text below:

Choose Attribute mapping. These mappings map the claims from the SAML assertion from AD FS to the user pool attributes.

Make sure that ADFS is sending the groups in the assertions. For setting up the ADFS side for groups this link might be useful.

You could debug the flow with SAML-tracer plugin in Firefox.

rsa
  • 102
  • 2
  • 8
  • Thanks @rsa. I already have the integration working, what I was hoping to find out was if there was a way to map ADFS groups to the actual cognito groups. By the looks of it, there is not, and Cognito Groups/assigning users to said groups will have to manually be managed within Cognito. I was hoping someone would be able weigh in and say whether definitively possible/impossible. – Tobias Roland Mar 20 '19 at 09:25