6

I've been using SAML identity federation on my Userpool which has a hosted SignIn page. I configured both the Azure Active Directory and cognito userpool so I can log in with an AD user. I have added multiple SAML providers similar manner and that works without an issue. The problem occurs when I use Identifiers attribute which is used to login to the corresponding IDP by extracting the domain name from the email. I followed this documentation. This is how it looks in the AWS console.

enter image description here

Now when I try to login with an AD user email it gives me Login not allowed error. It worked well when I don't use this identifiers optional parameter.

enter image description here

Can someone help me to resolve this issue?

Improve this question

1 Answer 1

Reset to default
1

Apparently "Identifiers" parameter has some connection with user-pool "General Settings -> Policies". You need to select "Allow users to sign themselves up" option for IDP identifiers to work.

enter image description here Although this worked when you enable sign up option there will be a link to signup on the hosted page.

In my case, I do not want users to sign themselves up. However, this is some progress.

Improve this answer
1
  • FWIW, users first need to be confirmed in order to be able to log in, but someone could still create a ton of accounts and DoS Cognito or just fill up the account database.
    – dskrvk
    Commented Mar 19, 2020 at 22:40

Not the answer you're looking for? Browse other questions tagged or ask your own question.