Amazon Cognito
Amazon Cognito provides SSO identity management for end users of web and mobile apps. You can integrate Amazon Cognito as an OIDC identity provider for Cloudflare Zero Trust.
- An Amazon Cognito user pool ↗
The following Amazon Cognito values are required to set up the integration:
- App (client) ID
- Client secret
- Auth URL
- Token URL
- Certificate (key) URL
To retrieve those values:
-
Log in to your Amazon Cognito admin portal.
-
Go to User pools and select your user pool.
-
Select the App integration tab.
-
Under Domain, copy your user pool domain or configure a new domain ↗.
-
Make note of the following Amazon Cognito OIDC endpoints ↗:
- Auth URL:
https://<your user pool domain>/oauth2/authorize
- Token URL:
https://<your user pool domain>/oauth2/token
- Certificate (key) URL:
https://cognito-idp.<region>.amazonaws.com/<your user pool ID>/.well-known/jwks.json
(This is the Token signing key URL shown in User pool overview.)
- Auth URL:
-
Under App client list, select Create app client.
-
For App type, select Confidential client.
-
Enter an App client name for your application.
-
Ensure that Generate a client secret is selected.
-
Configure the following Hosted UI settings:
-
In Allowed callback URLs, add the following URL:
You can find your team name in Zero Trust under Settings > Custom Pages.
-
Select Identity providers to use with this app client. At minimum, enable Cognito user pool as a provider.
-
For OAuth 2.0 grant types, select Authorization code grant.
-
For OpenID Connect scopes, select OpenID, Email, and Profile.
-
-
Select Create app client.
-
Next, select the app client you just created.
-
Copy its Client ID and Client secret.
-
In Zero Trust ↗, go to Settings > Authentication.
-
Under Login methods, select Add new.
-
Select OpenID Connect.
-
Name your identity provider and fill in the required fields with the information obtained from Amazon Cognito.
-
(Optional) Enable Proof of Key Exchange (PKCE) ↗ if the protocol is supported by your IdP. PKCE will be performed on all login attempts.
-
(Optional) Under Optional configurations, enter custom OIDC claims that you wish to add to users' identity. This information will be available in the user identity endpoint.
-
Select Save.
To test that your connection is working, select Test.