amazon web services - Allowing AWS Cognito Users to authentication to JIRA via SAMLSSO (Domain Not found) - Stack Overflow

admin管理员组

文章数量:1418305

I’m currently using Amazon Cognito within my application to let users authenticate via OIDC, and I want the same Cognito users (within the same user group) to be able to authenticate into JIRA Cloud with Cognito acting as my IdP. However, I’m running into issues setting this up. I know there’s a third-party tool called miniO, but I’d prefer not to use it.

First within Jira Cloud, I go to Admin -> Security -> 'Add an Identity Provider'. It asks for a number of details:

My assumption for the details is the following:

• Identity Provider Entity ID: This in my User Pool Arn like (arn:aws:cognito-idp::xxxxxxxx:userpool/us--1_xxxxxxx)
• Identity Provider SSO URL: This is my User pool domain. Looks something like: https://Your user pool domain/saml2/idpresponse.
• Publix x509 Cert: I can get this via the "Add sign-in with social providers" -> "View Signing Certificate".

All seems good so far.

My problem is when I enable SSO for that Identity Provider in JIRA and try to login, I get "Domain Does not Exist".

I do NOT have a custom domain within Cognito, the domain I am using for the SAML Endpoint is just the global domain user pool domain, which I have prefixed with my app pool and added on /saml2/idpresponse. It would seem this is not the correct way to do this.

It would seem I need to add a Cogntio based app domain which according to ChatGTP it mentions:

Under App Integrations, go to App integration → Domain name (the exact UI labels can vary, but you’re looking for the place to configure a domain), and then either choose an AWS‑provided domain such as my-domain.auth.us-east-1.amazoncognito or set up a custom domain, which requires a certificate in ACM and additional configuration.

I cannot find the ability to do this in the new UI. The only place I see the ability to add a domain is under "Branding" -> "Domain". When I click "Edit" all it lets me do is set the "branding". I can't seem to alter it.

A custom domain seems pretty extreme. Can I only do this through CLI? How do I add a domain or perhaps I can use the global domain for the auth? Any help would be greatly appreciated.

I’m currently using Amazon Cognito within my application to let users authenticate via OIDC, and I want the same Cognito users (within the same user group) to be able to authenticate into JIRA Cloud with Cognito acting as my IdP. However, I’m running into issues setting this up. I know there’s a third-party tool called miniO, but I’d prefer not to use it.

First within Jira Cloud, I go to Admin -> Security -> 'Add an Identity Provider'. It asks for a number of details:

My assumption for the details is the following:

• Identity Provider Entity ID: This in my User Pool Arn like (arn:aws:cognito-idp::xxxxxxxx:userpool/us--1_xxxxxxx)
• Identity Provider SSO URL: This is my User pool domain. Looks something like: https://Your user pool domain/saml2/idpresponse.
• Publix x509 Cert: I can get this via the "Add sign-in with social providers" -> "View Signing Certificate".

All seems good so far.

My problem is when I enable SSO for that Identity Provider in JIRA and try to login, I get "Domain Does not Exist".

I do NOT have a custom domain within Cognito, the domain I am using for the SAML Endpoint is just the global domain user pool domain, which I have prefixed with my app pool and added on /saml2/idpresponse. It would seem this is not the correct way to do this.

It would seem I need to add a Cogntio based app domain which according to ChatGTP it mentions:

Under App Integrations, go to App integration → Domain name (the exact UI labels can vary, but you’re looking for the place to configure a domain), and then either choose an AWS‑provided domain such as my-domain.auth.us-east-1.amazoncognito or set up a custom domain, which requires a certificate in ACM and additional configuration.

I cannot find the ability to do this in the new UI. The only place I see the ability to add a domain is under "Branding" -> "Domain". When I click "Edit" all it lets me do is set the "branding". I can't seem to alter it.

A custom domain seems pretty extreme. Can I only do this through CLI? How do I add a domain or perhaps I can use the global domain for the auth? Any help would be greatly appreciated.

• amazon-web-services
• single-sign-on
• amazon-cognito
• saml

Share Improve this question Follow edited Jan 31 at 16:52 Maurice 13.2k22 gold badges3030 silver badges5555 bronze badges asked Jan 29 at 18:55 KevinKevin 2,88877 gold badges2525 silver badges3636 bronze badges

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 1

You're trying to configure Cognito as a SAML Identity Provider, which is not supported - Cognito can only act as an OIDC/OAuth2.0 IDP.

There's this question about it from a few years ago - unfortunately, the answer is still correct: SAML IdP - AWS Cognito/IAM as an Identity Provider.

The only SAML integration that Cognito has at the time of writing is that it can allow the users of the user pool to log in via SAML.

本文标签：