AWS Cognito

User Pool Instructions

  1. Create or use an existing user pool.
  2. Create an App client under Applications > App clients.
    1. Select “Traditional web application”.
    2. Give the application a friendly name.
    3. Skip the Return URL, add this later once the iMIS SSO record is created.
    4. Click “Create app client”.
  3. Ensure that you have a domain set up (either a free Cognito domain or a Custom domain) under Branding > Domain.

Configuration Values

  1. Obtain configuration values for iMIS SSO from the following places:
    • Discovery Domain: In the user pool, go to Overview, then copy the Token signing key URL and paste it into the Discovery Domain field, then click “Discover…”
    • Authorization URL: Should be auto-populated from the discovery document. Or, manually enter the value https://<YOUR_DOMAIN>/oauth2/authorize
    • Token URL: Should be auto-populated from the discovery document. Or, manually enter the value https://<YOUR_DOMAIN>/oauth2/token
    • Userinfo URL: Should be auto-populated from the discovery document. Or, manually enter the value https://<YOUR_DOMAIN>/oauth2/userinfo
    • Issuer: Should be auto-populated from the discovery document. Or, to obtain the Issuer manually, use the Token signing key URL from before but remove this section from the end: /.well-known/jwks.json The URL is constructed from the following format: https://cognito-idp.<AWS_REGION_KEY>.amazonaws.com/<USER_POOL_ID>
    • Scopes: Enter this value exactly: openid profile email
    • Client ID: In Applications > App clients > Select the app client for iMIS SSO, then copy the Client ID value.
    • Client Secret: In Applications > App clients > Select the app client for iMIS SSO, then copy the Client secret value.
    • Enable PKCE: On
    • Enable Response Mode Form Post: Off
    • Enable Token Endpoint Basic Auth: Off
  2. Once saved, go back and edit the directory record, and copy the Return URL value.
  3. In Cognito, under Applications > App clients > Select the app client for iMIS SSO > Login pages, in the Managed login pages configuration box click Edit.
  4. Add the Redirect URL you copied to the Allowed callback URLs section, then click Save changes.

Claims Mapping

Map the following claims:

Field

Claim Name

Location

External ID

sub

Access Token

Username

email

ID Token

Email

email

ID Token

First Name

given_name

ID Token

Last Name

family_name

ID Token