Follow manufacturer's instructions :)
Record your domain name as $AZD and the sub-domain component as $AZDSUB
Key | Sample |
---|---|
$AZD | craigaroachicloud.onmicrosoft.com |
$AZDSUB | craigaroachicloud |
- Name: Alice Armstrong
- User name: alice@$AZD
- Profile: arbitrary
- Directory role: User
Record user name as $ALICEID
alice@craigaroachicloud.onmicrosoft.com
Record user's generated password as $ALICEPWD
Note Password will changed on first login.
- Group Type: Security
- Group Name: OperationsManagers
- Group Description: arbitrary
- Membership type: Assigned
Select the Group OperationsManagers
Add members
- Alice Armstrong
Navigate to Cognito in Console, then Create Pool
Enter your chosen pool name and record as $CUP
$CUP=BlueCup
- Sign in: Username
- Required attributes: email
- Custom attributes: skip
- Password Strength: your choice
- Allow user sign-up: true
- MFA: off
- Verification: email
- Message customizations: skip
- Remember your user's devices
- App Clients: skip for now
- Custom workflows: skip
Save your user pool.
Record your Pool Id and ARN as $CUPID and $CUPARN
Key | Sample |
---|---|
$CUPID | ap-southeast-2_0ShBpWf3u |
$CUPARN | arn:aws:cognito-idp:ap-southeast-2:167635472246:userpool/ap-southeast-2_0ShBpWf3u |
Select your Cognito User Pool called $CUP
Navigate App Integration | Domain name
Determine a domain name prefix for your user pool. It will need to be unique within your selected AWS region. A concatenation of $AZDSUB and $CUP is a good choice. You can click Check Availability button.
Enter your chose domain prefix and record as $CUPDP
Sample $CUPDP |
---|
craigaroachicloud-bluecup |
Save Changes
Record your fully qualified Cognito user pool domain name $CUPFQDN
Sample $CUPFQDN |
---|
https://craigaroachicloud-bluecup.auth.ap-southeast-2.amazoncognito.com |
Construct your SAML endpoint using this domain name. After authenticating a user, AAD will respond with a HTTP Redirect to this endpoint using the SAML POST binding method. This method encodes the SAML Assertion as HTML FORM data, which the user's browser POSTs to the endpoint. To construct the endpoint URL, append /saml2/idpresponse
. Record the endpoint URL as $CUPSAML
$CUPSAML = $CUPFQDN +
/saml2/idpresponse
Sample $CUPSAML |
---|
https://craigaroachicloud-bluecup.auth.ap-southeast-2.amazoncognito.com/saml2/idpresponse |
Construct your SAML Service Provider (SP) Entity ID - also known as the Audience URI - by prefixing your Pool Id with urn:amazon:cognito:sp:
. Record the Entity ID as $CUPSPENTITY
$CUPSPENTITY =
urn:amazon:cognito:sp:
+ $CUPID
Sample $CUPSPENTITY |
---|
urn:amazon:cognito:sp:ap-southeast-2_0ShBpWf3u |
Navigate to Cognito | $CUP | General Settings | App Clients
Field | Value |
---|---|
App client name | TeamCalendar |
Generate client secret | true |
Create app client |
Record App client id as $CUPCID
Key | Sample |
---|---|
$CUPCID | 2n6pup059ng2scg8n1crb1v5j6 |
$CUPCSECRET | kb5a9vmn2ua7qu70jghgv5m3bsopqheaeaumsadgmpbthc8sf6s |
Navigate to AAD | Default Directory | Manage | Enterprise Applications
Select New Application, then Select Non-gallery application
- Name: TeamCalendar
Add
Select Manage | Single sign-on, then Select SAML
Navigate to Basic SAML Configuration, then Select Edit
Attribute | Value | Sample |
---|---|---|
Identifier (Entity ID) | $CUPSPENTITY | urn:amazon:cognito:sp:ap-southeast-2_0ShBpWf3u |
Reply URL (ACS URL) | $CUPSAML | https://craigaroachicloud-bluecup.auth.ap-southeast-2.amazoncognito.com/saml2/idpresponse |
Save
Navigate to User Attributes & Claims, then Select Edit
Click on Claim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Change Source Attribute from user.mail
to user.userprincipalname
Navigate to SAML Signing Certificate, then Record App Federation Metadata URL as $AZDFM
Sample $AZDFM |
---|
https://login.microsoftonline.com/23033791-d560-4912-8b87-c6e361fa3e17/federationmetadata/2007-06/federationmetadata.xml?appid=9be99ae6-3547-4ba7-b65d-7e0e9c1b4365 |
Optionally, Download the Federation Metadata XML |
View Metadata document URL in browser, or downloaded XML
Navigate to TeamCalendar | Manage | Users and groups
Select Add User
Find Alice Armstrong, then Select
Select then Assign
Confirm Alice Armstrong has been assigned to TeamCalendar
Logout of AAD
Navigate to Cognito | $CUP | Federation | Identity Providers
Select SAML
Navigate to Metadata Document
Either Enter $AZDFM OR Upload Federation Metadata XML
Enter Provider name AAD
Create Provider_
Navigate to Cognito | $CUP | App Integration | App Client Settings
Navigate to $CUPCID
Field | Value | Sample |
---|---|---|
Enabled Identity Providers | AAD | - |
Callback URL | $ALBURL + /oauth2/idpresponse |
https://www2.craigroachnz.net/oauth2/idpresponse |
OAuth2 - Allowed Flows | Authorization Code Grant | - |
OAuth2 - Allowed Scopes | email, openid | - |
Create sample application without ALB