AWS Security ChangesHomeSearch

AWS cognito documentation change

Service: cognito · 2025-04-16 · Documentation low

File: cognito/latest/developerguide/cognito-user-pools-SAML-session-initiation.md

Summary

Updated headings from 'Using' to 'Implement' and added detailed IdP-initiated SAML authentication flow diagram/steps

Security assessment

Changes clarify implementation procedures but don't introduce or modify security-related content

Diff

diff --git a/cognito/latest/developerguide/cognito-user-pools-SAML-session-initiation.md b/cognito/latest/developerguide/cognito-user-pools-SAML-session-initiation.md
index 1cb24f27e..3b2f8617b 100644
--- a//cognito/latest/developerguide/cognito-user-pools-SAML-session-initiation.md
+++ b//cognito/latest/developerguide/cognito-user-pools-SAML-session-initiation.md
@@ -17 +17 @@ You can configure a SAML IdP in your user pool to support IdP-initiated SSO. Whe
-  * Using SP-initated SAML sign-in
+  * Implement SP-initated SAML sign-in
@@ -19 +19 @@ You can configure a SAML IdP in your user pool to support IdP-initiated SSO. Whe
-  * Using IdP-initiated SAML sign-in
+  * Implement IdP-initiated SAML sign-in
@@ -24 +24 @@ You can configure a SAML IdP in your user pool to support IdP-initiated SSO. Whe
-## Using SP-initated SAML sign-in
+## Implement SP-initated SAML sign-in
@@ -61 +61 @@ You can also choose the duration of refresh tokens. After a user's refresh token
-## Using IdP-initiated SAML sign-in
+## Implement IdP-initiated SAML sign-in
@@ -63 +63,24 @@ You can also choose the duration of refresh tokens. After a user's refresh token
-When you configure your identity provider for IdP-initiated SAML 2.0 sign-in, you can present SAML assertions to the `saml2/idpresponse` endpoint in your user pool domain without the need to initiate the session at the [Authorize endpoint](./authorization-endpoint.html). A user pool with this configuration accepts IdP-initiated SAML assertions from a user pool external identity provider that the requested app client supports. The following steps describe the overall process to configure and sign in with an IdP-initiated SAML 2.0 provider.
+When you configure your identity provider for IdP-initiated SAML 2.0 sign-in, you can present SAML assertions to the `saml2/idpresponse` endpoint in your user pool domain without the need to initiate the session at the [Authorize endpoint](./authorization-endpoint.html). A user pool with this configuration accepts IdP-initiated SAML assertions from a user pool external identity provider that the requested app client supports.
+
+![Authentication flow diagram of Amazon Cognito IdP-initiated SAML sign-in.](/images/cognito/latest/developerguide/images/scenario-authentication-saml-idpinit.png)
+
+  1. A user requests SAML sign-in with your application.
+
+  2. Your application invokes a browser or redirects the user to the sign-in page for their SAML provider.
+
+  3. The IdP authenticates the user interactively, or with a remembered session in a browser cookie.
+
+  4. The IdP redirects your user to your application with the SAML assertion, or response, in their POST body.
+
+  5. Your application adds the SAML assertion to the POST body of a request to your user pool `saml2/idpresponse` endpoint.
+
+  6. Amazon Cognito issues an authorization code to your user.
+
+  7. Your user presents their authorization code to your app, which exchanges the code for JSON web tokens (JWTs).
+
+  8. Your application accepts and processes your user's ID token as authentication, generates authorized requests to resources with their access token, and stores their refresh token.
+
+
+
+
+The following steps describe the overall process to configure and sign in with an IdP-initiated SAML 2.0 provider.