iMIS Power Suite - SSO Premium

AWS Cognito

AWS Cognito serves as the directory provider for iMIS SSO Premium. Use this guide to configure your Cognito user pool, obtain the necessary iMIS SSO configuration values, and map claims so your users can securely sign in.

Setting up the Cognito user pool

Do the following to set up your Cognito user pool and app client, which are required for iMIS SSO Premium:

  1. Create or use an existing user pool.
  2. Create an App client under Applications > App clients.
    1. Select “Traditional web application”.
    2. Give the application a friendly name.
    3. Skip the Return URL, add this later once the iMIS SSO record is created.
    4. Click Create app client.
  3. Ensure that you have a domain set up (either a free Cognito domain or a Custom domain) under Branding > Domain.

Updating the configuration values

Gather and enter the necessary iMIS SSO configuration values in AWS Cognito, then update your app client settings to complete the connection:

  1. Obtain configuration values for iMIS SSO from the following places:
    • Discovery Domain: In the user pool, go to Overview, then copy the Token signing key URL and paste it into the Discovery Domain field, then click “Discover…”
    • Authorization URL: Should be auto-populated from the discovery document. Or, manually enter the value https://<YOUR_DOMAIN>/oauth2/authorize
    • Token URL: Should be auto-populated from the discovery document. Or, manually enter the value https://<YOUR_DOMAIN>/oauth2/token
    • Userinfo URL: Should be auto-populated from the discovery document. Or, manually enter the value https://<YOUR_DOMAIN>/oauth2/userinfo
    • Issuer: Should be auto-populated from the discovery document. Or, to obtain the Issuer manually, use the Token signing key URL from before but remove this section from the end: /.well-known/jwks.json The URL is constructed from the following format: https://cognito-idp.<AWS_REGION_KEY>.amazonaws.com/<USER_POOL_ID>
    • Scopes: Enter this value exactly: openid profile email
    • Client ID: In Applications > App clients > Select the app client for iMIS SSO, then copy the Client ID value.
    • Client Secret: In Applications > App clients > Select the app client for iMIS SSO, then copy the Client secret value.
    • Enable PKCE: On
    • Enable Response Mode Form Post: Off
    • Enable Token Endpoint Basic Auth: Off
  2. Once saved, go back and edit the directory record, and copy the Return URL value.
  3. In Cognito, under Applications > App clients > Select the app client for iMIS SSO > Login pages, in the Managed login pages configuration box click Edit.
  4. Add the Redirect URL you copied to the Allowed callback URLs section, then click Save changes.

Claims Mapping

Map the following claims:

Field

Claim Name

Location

External ID

sub

Access Token

Username

email

ID Token

Email

email

ID Token

First Name

given_name

ID Token

Last Name

family_name

ID Token