This article describes how to integrate AWS Amazon Cognito with RSA Cloud Access Service (CAS) using Relying Party.

Configure CAS

Perform these steps to configure CAS using Relying Party.

Procedure

1. Sign in to the RSA Cloud Administration Console.
2. Click Authentication Clients > Relying Parties.
   
3. On the My Relying Parties page, click Add a Relying Party.
4. On the Relying Party Catalog page, click Add for Service Provider SAML.
   
5. On the Basic Information page, enter the name for the application in the Name field.
6. Click Next Step.
   
7. On the Authentication page, select RSA manages all authentication.
8. In the 2.0 Access Policy for Authentication drop-down list, select a policy that was previously configured, and then select Next Step.
   
9. Under Data Input Method, choose Import Metadata.
10. Click Choose File and import the metadata downloaded from AWS Amazon Cognito to populate the ACS URL and Service Provider Entity ID.
    
11. Under the Message Protection section, choose IdP signs entire SAML response.
    
12. Scroll down to the User Identity section and select the following values:
    1. Identifier Type: unspecified
    2. Property: mail
       
       
13. Click Save and Finish.
14. Click Publish Changes and wait for the operation to be completed.
15. Under My Relying Parties, navigate to the newly created relying party.
16. In the Edit drop-down list, choose Metadata.
    

Configure AWS Amazon Cognito

Perform these steps to configure AWS Amazon Cognito Security Intelligence Platform (SIP).
Procedure 

1. Log in to the AWS Amazon Cognito tenant with an administrator account.
   
2.  In the left pane, navigate to Identity Pools and click Create Identity pool.
   
3. Under Configured Identity Pool trust, perform the following steps.
   1. Select the Authenticated access checkbox.
   2. Select the SAML checkbox and click Next.
      
4. Under Configure permissions, perform the following steps:
   1. In the IAM role section, choose Create a new IAM role. 
   2. In the IAM role name section, provide the IAM role name as shown in the following image.
      
5. In the Connect Identity Providers SAML section, click Create new provider.
   
6. In the Provider type section, choose SAML.
7. Click Choose file to import the metadata downloaded from CAS.
8. Click Add provider to create the SAML identity provider. 
   
9. In the Connect identity providers section, provide the following details:
10. In the SAML identity provider section, select the RSASSOCoginito identity.
11. In the Role Settings section, choose Use default authenticated role.
12. In the Claim mapping section, choose Inactive.
    
13. Under Configure properties, provide the Identity pool name as shown in the following image.
14. Select the Active basic flow (Basic authentication) checkbox and click Next to review and create the identity pool.
    
15. Review the identity pool and click Create identity pool to complete the identity pool creation.
    
16. In the Amazon Cognito console, under App clients, choose your user pool.
    
17. In the navigation pane, under Applications, choose App clients > My web app.
    
18. On the App clients and analytics page, navigate to the Login pages section.
19. Under the Managed login pages configuration section, choose Edit.
    
20. In the Identity providers drop-down list, select Cognito user pool.
    
21. In the OAuth 2.0 grant types section, select Implicit grant.
22. In the OpenID Connect scopes section, select Email and OpenID.
23. Click Save changes to complete the settings.
    

The configuration is complete.