Spring Boot SAML and AWS Cognito

Question

I have a working Cognito app client that utilizes user pool that is wired to use SAML. It accesses Azure AD as IdP. When I click "Launch Hosted UI" it properly redirects me to the login screen and upon authentication attempts to load my callback URL. Now I want to wire this with a Spring Boot app. I found this example developed by Joe Grandja that is using spring-security-saml2-service-provider to connect to a simple IdP.

The example is very compelling because all I really need to do is to provide correct configuration that in example provided like this:

spring:
  security:
    saml2:
      relyingparty:
        registration:
          simplesamlphp:
            signing.credentials:
              - private-key-location: "classpath:credentials/rp-private.key"
                certificate-location: "classpath:credentials/rp-certificate.crt"
            identityprovider:
              entity-id: https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/metadata.php
              verification.credentials:
                - certificate-location: "classpath:credentials/idp-certificate.crt"
              sso-url: https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/SSOService.php

However I'm lost at how to map information available to me from Cognito to these settings? For example values in signing.credentials?

Here's the list of settings I get from Cognito (all keys/names are bogus):

• Pool Id: us-west-2_1B1AHf00
• Pool ARN: arn:aws:cognito-idp:us-west-2:1234567898:userpool/us-west-2_1B1AHf00
• Domain: https://blah-foo.auth.us-west-2.amazoncognito.com
• App client: blahfoo-client
• App client ID: 1b1l1a2f8oo83456c
• Callback URL: http://localhost:8080
• Login URL: https://blah-foo.auth.us-west-2.amazoncognito.com/login?client_id=1b1l1a2f8oo83456c&response_type=code&scope=email+openid&redirect_uri=http://localhost:8080

I also have a SAML-formatted file I got back from IdP but that is already plugged into Cognito so why would I put anything from it into the app configuration?

I wonder if part of spring-security-saml2-service-provider is to assemble that login URL and if I can get away with less settings that are given in the example?

Any pointers will be greatly appreciated

Answer 1

I am posting the solution as a separate answer however credit and accepted answer go to @jzheaux

Basically the comment section provides the much needed hint: Even if you are wiring SAML-based Identity provider you will wire up Cognito using OAuth information given to you in the AWS console for User Pool

In my specific case the application.yaml then looks like this:

spring:
  security:
    oauth2:
      client:
        registration:
          cognito:
            client-id: 1ab2cd34efghi5jk6klmno7p8
            client-secret: *********
            scope: openid
            redirect-uri: http://localhost:8080/login/oauth2/code/cognito
            clientName: foobar-sandbox
        provider:
          cognito:
            issuerUri: https://cognito-idp.us-west-2.amazonaws.com/us-west-2_abCDeFGHI
            user-name-attribute: cognito:username

client-secret is found in General settings -> App clients -> Show Details

Answer 2

The signing.credentials section is if your app needs to sign things like an AuthnRequest. They are credentials that you own.

The items under identityprovider are things that Cognito would provide.

For Spring Boot 2.4+, if Cognito supports a SAML metadata endpoint, then you can provide that and Spring Security will discover the rest:

spring:
  security:
    saml2:
      relyingparty:
        registration:
          simplesamlphp:
            identityprovider:
              metadata-uri: classpath:cognito/metadata/file/location

Or, for earlier versions, you can use RelyingPartyRegistrations:

@Bean
RelyingPartyRegistrationRepository registrations() {
    String location = "classpath:cognito/metadata/file/location";
    RelyingPartyRegistration registration = 
        RelyingPartyRegistrations.fromMetadataLocation(location)
            .build();
    return new InMemoryRelyingPartyRegistration(registration);
}

That said, the information that you've posted about Cognito's authentication endpoint appears OAuth-based, especially the Login URL. You may instead consider configuring your app for OAuth 2.0 and pointing at Cognito's OAuth endpoint.