This article describes how to integrate AWS Amazon Cognito with RSA Cloud Access Service (CAS) using My page SSO.

Configure CAS

Perform these steps to configure CAS for My Page SSO.

Procedure

1. Sign in to the RSA Cloud Administration Console and browse to Applications > Application Catalog.
2. Click Create from Template, and then click Select next to SAML Direct.
   
3. On the Basic Information page, choose Cloud.
4. In the Name field, enter the name for the application and click Next Step.
   
5. On the Connection Profile page, navigate to the Initiate SAML Workflow section and choose IdP-initiated.
6. Under Data Input Method, choose Import Metadata.
7. Click Choose File and import the metadata file downloaded from AWS Amazon Cognito to populate the ACS URL and Service Provider Entity ID.
   
8. In the Message Protection section, choose IdP signs entire SAML response. 
9. Click Download Certificate.
   
10. Under the User Identity section, select the following values:
    1. Identifier Type: unspecified
    2. Property: mail
       
       
11. On the User Access page, choose the access policy you want to use to determine which users can access the application, and then click Next Step.
    
12. On the Portal Display page, configure the portal display and other settings.
13. Click Next Step.
    
14. On the Fulfillment page, configure your preferred settings or leave the Fulfillment toggle disabled, and then click Save and Finish.
15. Click Publish Changes and wait for the operation to be completed.
    After publishing, your application is now enabled for SSO. 
16. Navigate to the newly created application from Applications.
17. In the Edit drop-down list,  choose Export Metadata. This metadata will be used later in the AWS Amazon Cognito configuration.
    

Configure AWS Amazon Cognito

Perform these steps to configure AWS Amazon Cognito Security Intelligence Platform (SIP).
Procedure 

1. Log in to the AWS Amazon Cognito tenant with an administrator account.
   
2.  In the left pane, navigate to Identity Pools and click Create Identity pool.
   
3. Under Configured Identity Pool trust, perform the following steps.
   1. Select the Authenticated access checkbox.
   2. Select the SAML checkbox and click Next.
      
4. Under Configure permissions, perform the following steps:
   1. In the IAM role section, choose Create a new IAM role. 
   2. In the IAM role name section, provide the IAM role name as shown in the following image.
      
5. In the Connect Identity Providers SAML section, click Create new provider.
   
6. In the Provider type section, choose SAML.
7. Click Choose file to import the metadata downloaded from CAS.
8. Click Add provider to create the SAML identity provider. 
   
9. In the Connect identity providers section, provide the following details:
10. In the SAML identity provider section, select the RSASSOCoginito identity.
11. In the Role Settings section, choose Use default authenticated role.
12. In the Claim mapping section, choose Inactive.
    
13. Under Configure properties, provide the Identity pool name as shown in the following image.
14. Select the Active basic flow (Basic authentication) checkbox and click Next to review and create the identity pool.
    
15. Review the identity pool and click Create identity pool to complete the identity pool creation.
    
16. In the Amazon Cognito console, under App clients, choose your user pool.
    
17. In the navigation pane, under Applications, choose App clients > My web app.
    
18. On the App clients and analytics page, navigate to the Login pages section.
19. Under the Managed login pages configuration section, choose Edit.
    
20. In the Identity providers drop-down list, select Cognito user pool.
    
21. In the OAuth 2.0 grant types section, select Implicit grant.
22. In the OpenID Connect scopes section, select Email and OpenID.
23. Click Save changes to complete the settings.
    

The configuration is complete.