AWS cognito documentation change
Summary
Updated headings from 'Using' to 'Implement' and added detailed IdP-initiated SAML authentication flow diagram/steps
Security assessment
Changes clarify implementation procedures but don't introduce or modify security-related content
Diff
diff --git a/cognito/latest/developerguide/cognito-user-pools-SAML-session-initiation.md b/cognito/latest/developerguide/cognito-user-pools-SAML-session-initiation.md index 1cb24f27e..3b2f8617b 100644 --- a//cognito/latest/developerguide/cognito-user-pools-SAML-session-initiation.md +++ b//cognito/latest/developerguide/cognito-user-pools-SAML-session-initiation.md @@ -17 +17 @@ You can configure a SAML IdP in your user pool to support IdP-initiated SSO. Whe - * Using SP-initated SAML sign-in + * Implement SP-initated SAML sign-in @@ -19 +19 @@ You can configure a SAML IdP in your user pool to support IdP-initiated SSO. Whe - * Using IdP-initiated SAML sign-in + * Implement IdP-initiated SAML sign-in @@ -24 +24 @@ You can configure a SAML IdP in your user pool to support IdP-initiated SSO. Whe -## Using SP-initated SAML sign-in +## Implement SP-initated SAML sign-in @@ -61 +61 @@ You can also choose the duration of refresh tokens. After a user's refresh token -## Using IdP-initiated SAML sign-in +## Implement IdP-initiated SAML sign-in @@ -63 +63,24 @@ You can also choose the duration of refresh tokens. After a user's refresh token -When you configure your identity provider for IdP-initiated SAML 2.0 sign-in, you can present SAML assertions to the `saml2/idpresponse` endpoint in your user pool domain without the need to initiate the session at the [Authorize endpoint](./authorization-endpoint.html). A user pool with this configuration accepts IdP-initiated SAML assertions from a user pool external identity provider that the requested app client supports. The following steps describe the overall process to configure and sign in with an IdP-initiated SAML 2.0 provider. +When you configure your identity provider for IdP-initiated SAML 2.0 sign-in, you can present SAML assertions to the `saml2/idpresponse` endpoint in your user pool domain without the need to initiate the session at the [Authorize endpoint](./authorization-endpoint.html). A user pool with this configuration accepts IdP-initiated SAML assertions from a user pool external identity provider that the requested app client supports. + + + + 1. A user requests SAML sign-in with your application. + + 2. Your application invokes a browser or redirects the user to the sign-in page for their SAML provider. + + 3. The IdP authenticates the user interactively, or with a remembered session in a browser cookie. + + 4. The IdP redirects your user to your application with the SAML assertion, or response, in their POST body. + + 5. Your application adds the SAML assertion to the POST body of a request to your user pool `saml2/idpresponse` endpoint. + + 6. Amazon Cognito issues an authorization code to your user. + + 7. Your user presents their authorization code to your app, which exchanges the code for JSON web tokens (JWTs). + + 8. Your application accepts and processes your user's ID token as authentication, generates authorized requests to resources with their access token, and stores their refresh token. + + + + +The following steps describe the overall process to configure and sign in with an IdP-initiated SAML 2.0 provider.