Note: Single sign-on is available only on qualifying plans. If you would like to know whether your plan supports SSO, please contact [email protected].
Setup
In this step, you add an Amazon Cognito user pool as an application in Azure AD to establish a trust relationship between them.
To add new application in Azure AD
Log in to the Azure Portal.
In the Azure Services section, choose Azure Active Directory.
In the left sidebar, choose Enterprise applications.
Choose New application.
On the Browse Azure AD Gallery page, choose Create your own application.
Under What’s the name of your app?, enter a name for your application and select Integrate any other application you don’t find in the gallery (Non-gallery), as shown in Figure 1. Choose Create.
Figure 1: Add an enterprise app in Azure AD
It will take few seconds for the application to be created in Azure AD, then you should be redirected to the Overview page for the newly added application.
Note: Occasionally, this step can result in a Not Found error, even though Azure AD has successfully created a new application. If that happens, in Azure AD navigate back to Enterprise applications and search for your application by name.
On the Getting started page, in the Set up single sign on tile, choose Get started, as shown in Figure 2.
Figure 2: Application configuration page in Azure AD
On the next screen, select SAML.
In the middle pane under Set up Single Sign-On with SAML, in the Basic SAML Configuration section, choose the edit icon.
In the right pane under Basic SAML Configuration, replace the default Identifier ID (Entity ID) with the Identifier (Entity ID) you copied previously. In the Reply URL (Assertion Consumer Service URL) field, enter the Reply URL you copied previously, as shown in Figure 3. Choose Save.
Figure 3: Azure AD SAML-based Sign-on setup
EU multi-tenant:Identifier (Entity ID): urn:amazon:cognito:sp:eu-west-1_990dPQ8mS
Reply URL (Assertion Consumer Service URL): https://ond-prod.auth.eu-west-1.amazoncognito.com/saml2/idpresponseUS multi-tenant:
Identifier (Entity ID): urn:amazon:cognito:sp:us-east-1_pUtX6J3XM
Reply URL (Assertion Consumer Service URL): https://ond.auth.us-east-1.amazoncognito.com/saml2/idpresponseScroll down to the SAML Signing Certificate section, and download the Federation Metadata XML.
Attributes mapping requirements
O&D requires these attributes to be mapped correctly:
emailaddress
name
The first user to sign in using SSO will be set as the Super Admin in O&D. Afterwards, new users signing in will be assigned the Member role. User roles can be changed by Super Admin and Admin users in O&D from the Settings > Organization > Members page.
Claim name | Value |
<email address> | |
<full name> |
Note: The value field should be linked to the relevant source attribute.
Actions
Send a Federation Metadata XML to your Office & Dragons point of contact.
Once your O&D contact has confirmed that SSO is active for your organization, try signing in with SSO. Remember, the first user to sign in using SSO will be set as the Super Admin.
Change your organization's name in Office & Dragons from Settings > Organization > General before inviting more users to sign in.