Single Sign-on provides an organization the ability to offer their own third-party authentication provider for an account, without having to create new credentials (usernames/passwords) on the platform.
This provides an extra layer of security for an organization's account.
The SAML 2.0 protocol is supported.
Only SP-initiated SSO is supported. IdP-initiated SSO is not supported.
In addition to the diagrams below, you can also reference the AWS Cognito documentation .
Custom SAML 2.0 Provider¶
Account administration (
accountAdmin abac policy) allows an administrator to configure external SAML providers for login into the platform.
Navigate to Left Menu > Account > Auth Clients to see the currently configured Authentication Clients.
Example configuration for
This example is for an organization leveraging Shibboleth IdP
- Callback URLs:
- Signout URLs:
- Metadata document URL:
- Email attribute mapping:
- Name attribute mapping:
Example user/browser flow¶
Example URLs and parameters, using Okta for the IdP: