AWS Cognito
User Pool Instructions
- Create or use an existing user pool.
- Create an App client under Applications > App clients.
- Select “Traditional web application”.
- Give the application a friendly name.
- Skip the Return URL, add this later once the iMIS SSO record is created.
- Click “Create app client”.
- Ensure that you have a domain set up (either a free Cognito domain or a Custom domain) under Branding > Domain.
Configuration Values
- Obtain configuration values for iMIS SSO from the following places:
- Discovery Domain: In the user pool, go to Overview, then copy the Token signing key URL and paste it into the Discovery Domain field, then click “Discover…”
- Authorization URL: Should be auto-populated from the discovery document. Or, manually enter the value
https://<YOUR_DOMAIN>/oauth2/authorize
- Token URL: Should be auto-populated from the discovery document. Or, manually enter the value
https://<YOUR_DOMAIN>/oauth2/token
- Userinfo URL: Should be auto-populated from the discovery document. Or, manually enter the value
https://<YOUR_DOMAIN>/oauth2/userinfo
- Issuer: Should be auto-populated from the discovery document. Or, to obtain the Issuer manually, use the Token signing key URL from before but remove this section from the end:
/.well-known/jwks.json
The URL is constructed from the following format:https://cognito-idp.<AWS_REGION_KEY>.amazonaws.com/<USER_POOL_ID>
- Scopes: Enter this value exactly:
openid profile email
- Client ID: In Applications > App clients > Select the app client for iMIS SSO, then copy the Client ID value.
- Client Secret: In Applications > App clients > Select the app client for iMIS SSO, then copy the Client secret value.
- Enable PKCE: On
- Enable Response Mode Form Post: Off
- Enable Token Endpoint Basic Auth: Off
- Once saved, go back and edit the directory record, and copy the Return URL value.
- In Cognito, under Applications > App clients > Select the app client for iMIS SSO > Login pages, in the Managed login pages configuration box click Edit.
- Add the Redirect URL you copied to the Allowed callback URLs section, then click Save changes.
Claims Mapping
Map the following claims:
Field |
Claim Name |
Location |
---|---|---|
External ID |
sub |
Access Token |
Username |
|
ID Token |
|
|
ID Token |
First Name |
given_name |
ID Token |
Last Name |
family_name |
ID Token |