Azure Ad as IdP

[dosiennik]

Hi,

We are trying to use Azure AD as IdP for data.all. We configured Cognito accordingly. We are able to login with Azure AD and we are receiving the list of user groups.

As far as we see for the groups, Azure AD returns just identifiers of the groups as random strings (not the readable names) and the identifiers are displayed to the users in the UI which is not very user friendly.

We are curious how to handle it since we would like to see the group names in the UI instead. We were thinking about mapping the group ids to group names in the piece of logic inside Cognito pre-token generation trigger. There is one challenge though since the group name can change in Azure AD. It will affects the values of the tags, policies etc.

I think for the Cognito Groups it is not a challenge because the groups name can't be changed there.

Do you have any recommendation how it can be handled? Did you test data.all with other IdP provides?

[dlpzx]

Hi @dosiennik,

Did you follow the steps listed in the following guide?
Azure+Active+Directory+Integration+with+Amazon Cognito+User+Pools.pdf

There is an step in which we need to map the attributes from Microsoft AD to Cognito ones. For groups we have to create a custom attribute.

[dosiennik]

Hi @dlpzx,

Thanks for sharing the guide. Yeah as far as I see we proceed as described for the group mapping. Although looks like Azure ID is able to return only group identifiers, not names so as a result we see group ids in the UI. That's why wanted to check if you have experienced a similar case and know how it can be handled.

[louishourcade]

Hello,
Quick note: in the guide Azure+Active+Directory+Integration+with+Amazon Cognito+User+Pools.pdf, the name of the custom attribute should be saml.groups instead of groups. Otherwise it will not work (reference to the code)

And I also faced the same issue with Azure AD group ID. It seems it has been there for a while (stackoverflow issue). As mentioned in this post, I believe the only way is to do what you mentioned, which is implementing some kind of logic that calls Microsoft Graph to map group ID with their name.
This would work well as long as you don't change the group name in Azure.

[dosiennik]

Hello,

Thanks for the info and links. Yeah we noticed it and named the attribute as the code expects. It is mapped correctly although as I mentioned group id is there not the name. Indeed it seems to be Azure's 'feature' ;) Currently we are working on a piece of logic in the Cognito event to map ids to names before token is generated.

[louishourcade]

Alright, could you please share this piece of code when it will be ready ? I believe it will be extremely helpful for everyone federating Azure AD with Cognito.

[dosiennik]

Sure thing, let's keep in touch on the topic.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.