AWS Cognito-从ADFS创建组作为Cognito组 [英] AWS Cognito - create groups from ADFS as Cognito Groups

问题描述

应用程序正在通过Open ID Connect协议与连接到 ADFS 的 AWS Cognito 进行通信，并通过SAML进行通信. Cognito本质上是在代理" ADFS服务器.

An app is communicating via the Open ID Connect protocol with AWS Cognito, which is connected to ADFS, communicating via SAML. Cognito is essentially "proxying" the ADFS server.

ADFS拥有应用程序所需的组映射，我想将这些组作为实际的Cognito组导入Cognito-然后由应用程序从cognito:groups读取Cognito提供的ID令牌.

ADFS holds a group mapping that the app requires, and I would like to import these groups into Cognito as actual Cognito Group - which will then be read by the app from the cognito:groups from the ID-token Cognito provides.

在AWS Cognito用户池设置中，我看不到将ADFS组映射到Cognito组的方法-我必须绝对依赖于我的用户池的自定义属性，该属性可以映射到ADFS属性，否则我缺少一些配置，这些配置允许Cognito动态创建新组并自动将用户分配给Cognito中的组?

In the AWS Cognito User Pool setup, I don't see a way to map ADFS groups to Cognito Groups - must I absolutely rely on a custom attribute for my User Pool that I can map to the ADFS-property, or am I missing some piece of configuration that allows Cognito to create new groups on the fly and automatically assign the users to the groups in Cognito?

为澄清起见，是否可以设置Cognito在导入用户时添加/创建组(不是作为自定义属性，而是实际可管理的cognito组)?

推荐答案

我遇到了同样的问题，并且在Cognito中也没有找到静态映射选项.

I had the same issue, and I have not found a static mapping option in Cognito either.

我看到的唯一方法是将AD组映射到Cognito中的custom:adgroups属性，并设置一个Cognito令牌生成前" lambda触发器. lambda读取custom:adgroups的值，并手动覆盖用户的Cognito组.

The only way I see is to map the AD groups to custom:adgroups attribute in Cognito, and set up a Cognito "Pre Token Generation" lambda trigger. The lambda reads the value of the custom:adgroups and manually overrides the user's Cognito groups.

NB-这不会永久更改认知用户的组，仅针对当前会话，而从应用程序的角度来看，这正是我所需要的.

NB - this does not change the cognito user's group permanently, only for the current session, but from the application perspective that's exactly what I needed.

请在此处查看伪静态(非条件)ADMIN组分配示例:

Please see a dummy static (non conditional) ADMIN group assignment example here:

def lambda_handler(event, context):
print(f'incoming event: {json.dumps(event)}')

# manual cognito group override
if event['triggerSource'] == "TokenGeneration_HostedAuth":
    event['response'] = {
            "claimsOverrideDetails": {
                "groupOverrideDetails": {
                    "groupsToOverride": [
                        "ADMIN"
                    ]
                }
            }
        }

return event

此处有更多详细文档:

More detailed documentation here: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html

这篇关于AWS Cognito-从ADFS创建组作为Cognito组的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！