Configuring Amazon Cognito as an IdP
Follow these steps to configure Amazon Cognito as an external identity provider (IdP) in the Illumio Console's Okta instance via OIDC protocol.
Go to the Amazon Cognito console (
https://console.aws.amazon.com/cognito/home). If prompted, enter your AWS credentials.Create a user pool by clicking Create user pool. You might need to select User Pools from the left navigation pane to reveal this option.
In Configure sign-in experience, under Cognito user pool sign-in options, select Email only, and click Next.
In Configure security requirements:
Under Multi-factor authentication, choose No MFA.
Under User account recovery:
Select Enable self-service account recovery.
Select Email only for Delivery method for user account recovery messages.
Click Next.
In Configure sign-up experience, determine how a new user verifies their identity when signing up.
Under Required attributes, confirm that email is specified, and from the Additional required attributes menu, select family_name (surname) and given_name (first name).
In Configure message delivery, choose the settings you prefer. Note the prerequisites for sending email with Amazon SES.
On Integrate your app:
Enter a name in user pool name.
Under Initial app client, confirm that App type is set to Public client.
Enter a name in App client name.
Under Client secret, you can choose whether you want to generate a client secret or not.
Expand Advanced app client settings, and under this section set up various client app authentication flows:
For Authentication flows, choose ALLOW_USER_SRP_AUTH.
Choose a session duration and the various token expirations as you wish.
Under the optional Advanced security configurations, we recommend Enable token revocation and Prevent user existence errors.
Click Next.
At Review and Create, review your user pool details, and when satisfied click Create user pool.