AWS Security ChangesHomeSearch

AWS cognito medium security documentation change

Service: cognito · 2025-03-23 · Security-related medium

File: cognito/latest/developerguide/cognito-user-pools-saml-idp-things-to-know.md

Summary

Added metadata endpoint port requirements and certificate rotation guidance + updated domain URLs

Security assessment

New sections enforce secure metadata endpoint configurations (ports 80/443) and provide certificate rotation best practices to prevent authentication outages

Diff

diff --git a/cognito/latest/developerguide/cognito-user-pools-saml-idp-things-to-know.md b/cognito/latest/developerguide/cognito-user-pools-saml-idp-things-to-know.md
index 38427b51e..46af45738 100644
--- a/cognito/latest/developerguide/cognito-user-pools-saml-idp-things-to-know.md
+++ b/cognito/latest/developerguide/cognito-user-pools-saml-idp-things-to-know.md
@@ -44 +44 @@ Your SAML identity provider requires that you set an assertion consumer endpoint
-    https://mydomain.us-east-1.amazoncognito.com/saml2/idpresponse
+    https://mydomain.auth.us-east-1.amazoncognito.com/saml2/idpresponse
@@ -91 +91 @@ A `Format` in your IdP `NameID` claim of `urn:oasis:names:tc:SAML:1.1:nameid-for
-        <saml2p:Response Destination="https://mydomain.us-east-1.amazoncognito.com/saml2/idpresponse" ID="id123" InResponseTo="_dd0a3436-bc64-4679-a0c2-cb4454f04184" IssueInstant="Date-time stamp" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema">
+        <saml2p:Response Destination="https://mydomain.auth.us-east-1.amazoncognito.com/saml2/idpresponse" ID="id123" InResponseTo="_dd0a3436-bc64-4679-a0c2-cb4454f04184" IssueInstant="Date-time stamp" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema">
@@ -99 +99 @@ IdP-initiated SAML assertions must _not_ contain an `InResponseTo` value.
-        <saml2:SubjectConfirmationData InResponseTo="_dd0a3436-bc64-4679-a0c2-cb4454f04184" NotOnOrAfter="Date-time stamp" Recipient="https://mydomain.us-east-1.amazoncognito.com/saml2/idpresponse"/>
+        <saml2:SubjectConfirmationData InResponseTo="_dd0a3436-bc64-4679-a0c2-cb4454f04184" NotOnOrAfter="Date-time stamp" Recipient="https://mydomain.auth.us-east-1.amazoncognito.com/saml2/idpresponse"/>
@@ -146,0 +147,5 @@ If you see `InvalidParameterException` while creating a SAML IdP with an HTTPS m
+**Metadata endpoint must be on standard TCP port for HTTP or HTTPS**
+    
+
+Amazon Cognito only accepts metadata URLs for SAML providers on the standard TCP ports 80 for HTTP and 443 for HTTPS. Enter metadata URLs in the format ``http://www.example.com/saml2/metadata.xml`` or ``https://www.example.com/saml2/metadata.xml``. The Amazon Cognito console accepts metadata URLs only with the `https://` prefix. You can also configure IdP metadata with [CreateIdentityProvider](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateIdentityProvider.html) and [UpdateIdentityProvider](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateIdentityProvider.html).
+
@@ -156,0 +162,5 @@ The `/saml2/logout` endpoint accepts `LogoutResponse` as `HTTP POST` requests. U
+**Metadata Signing Certificate Rotation**
+    
+
+Amazon Cognito caches SAML metadata for up to six hours when you provide metadata with a URL. When performing any metadata signing certificate rotation, configure your metadata source to publish _both_ the original and new certificates for at least six hours. When Amazon Cognito refreshes the cache from the metadata URL, it treats each certificate as valid and your SAML IdP can start signing SAML assertions with the new certificate. After this period has elapsed, you can remove the original certificate from the published metadata.
+